diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/TESTS.md | 51 |
1 files changed, 27 insertions, 24 deletions
diff --git a/docs/TESTS.md b/docs/TESTS.md index 5811577..dabcee1 100644 --- a/docs/TESTS.md +++ b/docs/TESTS.md @@ -11,7 +11,7 @@ - `degenerate`* - `cofactor`* - `edge-cases`* - + **\*NOTE: The `wrong`, `composite`, `invalid`,`twist`, `cofactor`, `edge-cases` and `degenerate` test suites caused temporary/permanent DoS of some cards. These test suites prompt you for confirmation before running, be cautious.** @@ -61,24 +61,26 @@ Tests on a category of wrong curves. These curves are not really curves as they - reducible polynomial as the field polynomial in the binary case This test suite also does some additional tests with corrupting the parameters: + - Fp: - - p = 0 - - p = 1 - - p = q^2; q prime - - p = q * s; q and s prime - - G = random point not on curve - - G = random data - - G = infinity - - r = 0 - - r = 1 - - r = some prime larger than original r (and \[r\]G != infinity) - - r = some prime smaller than original r (and \[r\]G != infninity) - - r = some composite number (and \[r\]G != infinity) - - k = 0xff - - k = 0 + - p = 0 + - p = 1 + - p = q^2; q prime + - p = q * s; q and s prime + - G = random point not on curve + - G = random data + - G = infinity + - r = 0 + - r = 1 + - r = some prime larger than original r (and [r]G != infinity) + - r = some prime smaller than original r (and [r]G != infninity) + - r = some composite number (and [r]G != infinity) + - k = 0xff + - k = 0 + - F2m: - - e1 = e2 = e3 = 0 - - m < e1 < e2 < e3 + - e1 = e2 = e3 = 0 + - m < e1 < e2 < e3 These tests should fail generally. @@ -95,11 +97,11 @@ These tests should generally fail, a success here implies the card will use a no by the applet. Operations over such curves are susceptible to small-subgroup attacks. - r = quite a smooth number, many small factors, r = |G| - - r = small prime(of increasing bit lengths), r = |G| + - r = prime(of increasing bit lengths), r = |G| - r = p * q = |G| - r = G = Carmichael number = p * q * s - - \[r\]G = infinity but r != |G|, so |G| divides r - + - [r]G = infinity but r != |G|, so |G| divides r + For example: ```bash java -jar ECTester.jar -t composite @@ -154,11 +156,12 @@ java -jar ECTester.jar -t cofactor ``` ## Edge-Cases -Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH. +Tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during ECDH. Some of the data is from the google/Wycheproof project. Tests include [CVE-2017-10176](https://nvd.nist.gov/vuln/detail/CVE-2017-10176) and [CVE-2017-8932](https://nvd.nist.gov/vuln/detail/CVE-2017-8932). Various custom edge private key values are also tested. -CVE-2017-10176 was in implementation issue in the SunEC Java library that caused the implementation to reach the point at infinity during ECDH computation. +CVE-2017-10176 was in implementation issue in the SunEC Java library (and NSS(CVE-2017-7781), thus also anything that used it) that caused the implementation to reach the point at infinity during ECDH computation. +See [blog](http://blog.intothesymmetry.com/2017/08/cve-2017-7781cve-2017-10176-issue-with.html) for more info. CVE-2017-8932 was an implementation issue in the Go standard library, in particular its scalar multiplication algorithm on the P-256 curve which leaked information about the private key. @@ -167,7 +170,7 @@ Custom private key values over SECG curves are tested: - s = 0, s = 1 - s < r, s = r, s > r - s = r - 1, s = r + 1 - - s = k\*r - 1, s = k\*r, s = k\*r + 1 + - s = k\*r - 1, s = k\*r, s = k\*r + 1 For example: ```bash @@ -175,7 +178,7 @@ java -jar ECTester.jar -t edge-cases ``` ## Miscellaneous -Some miscellaneous tests, tries ECDH and ECDSA over supersingular curves and Barreto-Naehrig curves with small embedding degree and CM discriminant. +Some miscellaneous tests, tries ECDH and ECDSA over supersingular curves, anomalous curves and Barreto-Naehrig curves with small embedding degree and CM discriminant. For example: ```bash |