From bd990776812eddbb50f073b8e1dcef2f69820768 Mon Sep 17 00:00:00 2001
From: J08nY
Date: Sun, 2 Dec 2018 00:53:36 +0100
Subject: Add more output to signature command in reader app.
---
docs/IMPLEMENTATIONS.md | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
(limited to 'docs')
diff --git a/docs/IMPLEMENTATIONS.md b/docs/IMPLEMENTATIONS.md
index b4a4ea8..724150f 100644
--- a/docs/IMPLEMENTATIONS.md
+++ b/docs/IMPLEMENTATIONS.md
@@ -536,17 +536,27 @@ y_n &= \frac{(x_n + x_1)((x_n + x_1)(x_{n+1} + x_1) + x_1^2 + y_1)}{x_1} + y_1
## References
[^1]: HANKERSON, Darrel; MENEZES, Alfred J.; VANSTONE, Scott. Guide to Elliptic Curve Cryptography. New York, USA: Springer, 2004. ISBN 9780387218465. Available from DOI: [10.1007/b97644](https://dx.doi.org/10.1007/b97644).
-[^2]: COHEN, Henri; FREY, Gerhard; AVANZI, Roberto M.; DOCHE, Christophe; LANGE,
-Tanja; NGUYEN, Kim; VERCAUTEREN, Frederik. Handbook of Elliptic and Hyper-
-elliptic Curve Cryptography. CRC Press, 2005-07-19. Discrete Mathematics and It’s Applications, no. 34. ISBN 9781584885184.
+
+[^2]: COHEN, Henri; FREY, Gerhard; AVANZI, Roberto M.; DOCHE, Christophe; LANGE, Tanja; NGUYEN, Kim; VERCAUTEREN, Frederik. Handbook of Elliptic and Hyper-elliptic Curve Cryptography. CRC Press, 2005-07-19. Discrete Mathematics and It’s Applications, no. 34. ISBN 9781584885184.
+
[^3]: BERNSTEIN, Daniel J.; LANGE, Tanja. Explicit Formulas Database,
+
[^4]:
+
[^5]: KNUTH, Donald: The Art of Computer Programming, Volume 2: Seminumerical algorithms
+
[^6]: GORDON, Daniel M.: A survey of fast exponentiation methods.
+
[^7]: MORAIN, Francois; OLIVOS, Jorge: Speeding up the computations on an elliptic curve using addition-subtraction chains.
+
[^8]: JOYE, Marc; YEN, Sung-Ming: The Montgomery Powering Ladder.
+
[^9]: MOLLER, Bodo: Securing Elliptic Curve Point Multiplication against Side-Channel Attacks.
+
[^10]: MOLLER, Bodo: Improved Techniques for Fast Exponentiation.
+
[^11]: MOLLER, Bodo: Fractional Windows Revisited: Improved Signed-Digit Representations for Efficient Exponentiation.
+
[^12]: KOYAMA, Kenji; TSURUOKA, Yukio: Speeding up Elliptic Cryptosystems by Using a Signed Binary Window Method.
+
[^13]: GALLANT, Robert P.; LAMBERT, Robert J.; VANSTONE, Scott A.: Faster point multiplication on elliptic curves with efficient endomorphisms.
\ No newline at end of file
--
cgit v1.2.3-70-g09d2
From bb5de2b3b731f7b022be9703fc2f5eae99893ac1 Mon Sep 17 00:00:00 2001
From: J08nY
Date: Sun, 16 Dec 2018 01:42:40 +0100
Subject: Add test of ECDH when keypair has engated pubkey.
---
docs/IMPLEMENTATIONS.md | 18 ++++++-------
.../ectester/common/output/BaseTextTestWriter.java | 6 ++---
.../ectester/reader/test/CardEdgeCasesSuite.java | 30 +++++++++++++++++-----
3 files changed, 35 insertions(+), 19 deletions(-)
(limited to 'docs')
diff --git a/docs/IMPLEMENTATIONS.md b/docs/IMPLEMENTATIONS.md
index 724150f..d333ed5 100644
--- a/docs/IMPLEMENTATIONS.md
+++ b/docs/IMPLEMENTATIONS.md
@@ -249,7 +249,7 @@ Uses binary addition chain.
INPUT: k = (k_{t-1}, ..., k_1, k_0)_2, P ∈ E(F_q).
OUTPUT: [k]P.
1. Q ← ∞.
- 2. For i from t - 1 downto 0 do
+ 2. For i from 0 to t-1 do
2.1 If k_i = 1 then Q ← Q + P.
2.2 P ← 2P.
3. Return(Q).
@@ -432,7 +432,7 @@ The same name, Montgomery ladder, is used both for the general ladder idea of ex
INPUT: k = (k_{t-1}, ..., k_1, k_0)_2, P ∈ E(F_q).
OUTPUT: [k]P .
1. P_1 ← P and P_2 ← [2]P
- 2. For i = t − 2 downto 0 do
+ 2. For i = t − 1 downto 0 do
2.1 If k_i = 0 then
P_1 ← [2]P_1; P_2 ← P_1 + P_2.
Else
@@ -443,13 +443,13 @@ The same name, Montgomery ladder, is used both for the general ladder idea of ex
INPUT: G ∈ E(F_q), k = (1, k_{t−2}, ..., k_0)2
OUTPUT: Y = kG
- R0 ← G; R1 ← [2]G
- for j = t − 2 downto 0 do
- if (k_j = 0) then
- R1 ← R0 + R1; R0 ← [2]R0
- else [if (kj = 1)]
- R0 ← R0 + R1; R1 ← [2]R1
- return R0
+ 1. R0 ← G; R1 ← [2]G
+ 2. for j = t − 2 downto 0 do
+ 2.1 if (k_j = 0) then
+ R1 ← R0 + R1; R0 ← [2]R0
+ else [if (kj = 1)]
+ R0 ← R0 + R1; R1 ← [2]R1
+ 3. return R0
Montgomery addition formulas (Projective coordinates/XZ coordinates):[^2]
diff --git a/src/cz/crcs/ectester/common/output/BaseTextTestWriter.java b/src/cz/crcs/ectester/common/output/BaseTextTestWriter.java
index 85b32a4..8ad50c7 100644
--- a/src/cz/crcs/ectester/common/output/BaseTextTestWriter.java
+++ b/src/cz/crcs/ectester/common/output/BaseTextTestWriter.java
@@ -56,7 +56,7 @@ public abstract class BaseTextTestWriter implements TestWriter {
String line = "";
if (prefix.equals("")) {
- char charLine[] = new char[BASE_WIDTH + 24];
+ char[] charLine = new char[BASE_WIDTH + 24];
new String(new char[BASE_WIDTH + 24]).replace("\0", "━").getChars(0, charLine.length - 1, charLine, 0);
charLine[0] = '■';
charLine[4] = '┳';
@@ -70,7 +70,7 @@ public abstract class BaseTextTestWriter implements TestWriter {
out.append(t.ok() ? Colors.ok(" OK ") : Colors.error("NOK "));
out.append(compound ? (prefix.equals("") ? "╋ " : "┳ ") : "━ ");
int width = BASE_WIDTH - (prefix.length() + 6);
- String widthSpec = "%-" + String.valueOf(width) + "s";
+ String widthSpec = "%-" + width + "s";
String desc = ((prefix.equals("")) ? "(" + index + ") " : "") + t.getDescription();
out.append(String.format(widthSpec, desc));
out.append(" ┃ ");
@@ -87,7 +87,7 @@ public abstract class BaseTextTestWriter implements TestWriter {
if (compound) {
CompoundTest test = (CompoundTest) t;
- out.append(String.valueOf(result.getCause()));
+ out.append(result.getCause());
out.append(System.lineSeparator());
Test[] tests = test.getStartedTests();
for (int i = 0; i < tests.length; ++i) {
diff --git a/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java b/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
index 7695867..221cbe1 100644
--- a/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
@@ -150,7 +150,21 @@ public class CardEdgeCasesSuite extends CardTestSuite {
}
Test set = CommandTest.expect(new Command.Set(this.card, ECTesterApplet.KEYPAIR_BOTH, EC_Consts.CURVE_external, curve.getParams(), curve.flatten()), Result.ExpectedValue.SUCCESS);
Test generate = CommandTest.expect(new Command.Generate(this.card, ECTesterApplet.KEYPAIR_LOCAL), Result.ExpectedValue.SUCCESS);
- Test setup = CompoundTest.all(Result.ExpectedValue.SUCCESS, "KeyPair setup.", key, set, generate);
+ CommandTest export = CommandTest.expect(new Command.Export(this.card, ECTesterApplet.KEYPAIR_LOCAL, EC_Consts.KEY_PUBLIC, EC_Consts.PARAMETER_W), Result.ExpectedValue.SUCCESS);
+ Test setup = runTest(CompoundTest.all(Result.ExpectedValue.SUCCESS, "KeyPair setup.", key, set, generate, export));
+
+ byte[] pParam = curve.getParam(EC_Consts.PARAMETER_FP)[0];
+ BigInteger p = new BigInteger(1, pParam);
+ byte[] wParam = ((Response.Export) export.getResponse()).getParameter(ECTesterApplet.KEYPAIR_LOCAL, EC_Consts.PARAMETER_W);
+ byte[] yValue = new byte[(wParam.length - 1) / 2];
+ System.arraycopy(wParam, (wParam.length/2) + 1, yValue, 0, yValue.length);
+ BigInteger y = new BigInteger(1, yValue);
+ BigInteger negY = p.subtract(y);
+ byte[] newY = ECUtil.toByteArray(negY, curve.getBits());
+ System.arraycopy(newY, 0, wParam, (wParam.length/2) + 1, newY.length);
+
+ EC_Params negYParams = makeParams(newY);
+ Test negYTest = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_LOCAL, EC_Consts.CURVE_external, negYParams.getParams(), negYParams.flatten()), "ECDH with pubkey negated.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
Test zeroS = ecdhTest(new Command.Transform(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, EC_Consts.PARAMETER_S, EC_Consts.TRANSFORMATION_ZERO), "ECDH with S = 0.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
Test oneS = ecdhTest(new Command.Transform(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, EC_Consts.PARAMETER_S, EC_Consts.TRANSFORMATION_ONE), "ECDH with S = 1.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
@@ -175,10 +189,10 @@ public class CardEdgeCasesSuite extends CardTestSuite {
Test alternateS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, alternateParams.getParams(), alternateParams.flatten()), "ECDH with S = 101010101...01010.", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
EC_Params alternateOtherParams = makeParams(alternateOther);
- Test alternateOtherS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, alternateOtherParams.getParams(), alternateOtherParams.flatten()), "ECDH with S = 01010101...10101.", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
+ Test alternateOtherS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, alternateOtherParams.getParams(), alternateOtherParams.flatten()), "ECDH with S = 010101010...10101.", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
EC_Params fullParams = makeParams(full);
- Test fullS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, fullParams.getParams(), fullParams.flatten()), "ECDH with S = 111111...11111 (but < r).", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
+ Test fullS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, fullParams.getParams(), fullParams.flatten()), "ECDH with S = 111111111...11111 (but < r).", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
EC_Params smallerParams = makeParams(smaller);
Test smallerS = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, smallerParams.getParams(), smallerParams.flatten()), "ECDH with S < r.", Result.ExpectedValue.SUCCESS, Result.ExpectedValue.SUCCESS);
@@ -204,20 +218,22 @@ public class CardEdgeCasesSuite extends CardTestSuite {
BigInteger krm1 = kr.subtract(BigInteger.ONE);
BigInteger krp1 = kr.add(BigInteger.ONE);
+ Result.ExpectedValue kExpected = K.equals(BigInteger.ONE) ? Result.ExpectedValue.SUCCESS : Result.ExpectedValue.FAILURE;
+
EC_Params krParams = makeParams(kr);
Test krS /*ONE!*/ = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, krParams.getParams(), krParams.flatten()), "ECDH with S = k * r.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
EC_Params krm1Params = makeParams(krm1);
- Test krm1S = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, krm1Params.getParams(), krm1Params.flatten()), "ECDH with S = (k * r) - 1.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
+ Test krm1S = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, krm1Params.getParams(), krm1Params.flatten()), "ECDH with S = (k * r) - 1.", kExpected, kExpected);
EC_Params krp1Params = makeParams(krp1);
- Test krp1S = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, krp1Params.getParams(), krp1Params.flatten()), "ECDH with S = (k * r) + 1.", Result.ExpectedValue.FAILURE, Result.ExpectedValue.FAILURE);
+ Test krp1S = ecdhTest(new Command.Set(this.card, ECTesterApplet.KEYPAIR_REMOTE, EC_Consts.CURVE_external, krp1Params.getParams(), krp1Params.flatten()), "ECDH with S = (k * r) + 1.", Result.ExpectedValue.ANY, Result.ExpectedValue.ANY);
if (cfg.cleanup) {
Test cleanup = CommandTest.expect(new Command.Cleanup(this.card), Result.ExpectedValue.ANY);
- doTest(CompoundTest.all(Result.ExpectedValue.SUCCESS, "Tests with edge-case private key values over " + curve.getId() + ".", setup, zeroS, oneS, alternateS, alternateOtherS, fullS, smallerS, exactS, largerS, rm1S, rp1S, krS, krm1S, krp1S, cleanup));
+ doTest(CompoundTest.all(Result.ExpectedValue.SUCCESS, "Tests with edge-case private key values over " + curve.getId() + ".", setup, negYTest, zeroS, oneS, alternateS, alternateOtherS, fullS, smallerS, exactS, largerS, rm1S, rp1S, krS, krm1S, krp1S, cleanup));
} else {
- doTest(CompoundTest.all(Result.ExpectedValue.SUCCESS, "Tests with edge-case private key values over " + curve.getId() + ".", setup, zeroS, oneS, alternateS, alternateOtherS, fullS, smallerS, exactS, largerS, rm1S, rp1S, krS, krm1S, krp1S));
+ doTest(CompoundTest.all(Result.ExpectedValue.SUCCESS, "Tests with edge-case private key values over " + curve.getId() + ".", setup, negYTest, zeroS, oneS, alternateS, alternateOtherS, fullS, smallerS, exactS, largerS, rm1S, rp1S, krS, krm1S, krp1S));
}
}
--
cgit v1.2.3-70-g09d2
From a9602aa2f8a9fddcb46bbd310ee9896ed5451758 Mon Sep 17 00:00:00 2001
From: J08nY
Date: Fri, 21 Dec 2018 15:00:11 +0100
Subject: Update documentation.
---
README.md | 18 +++---
docs/FORMAT.md | 41 ++++++++++---
docs/TESTS.md | 71 +++++++++++++---------
src/cz/crcs/ectester/reader/ECTesterReader.java | 4 +-
.../ectester/reader/test/CardCofactorSuite.java | 3 +-
.../ectester/reader/test/CardCompositeSuite.java | 3 +-
.../ectester/reader/test/CardCompressionSuite.java | 4 +-
.../ectester/reader/test/CardDefaultSuite.java | 2 +-
.../ectester/reader/test/CardDegenerateSuite.java | 2 +-
.../ectester/reader/test/CardEdgeCasesSuite.java | 1 +
.../ectester/reader/test/CardSignatureSuite.java | 2 +-
11 files changed, 98 insertions(+), 53 deletions(-)
(limited to 'docs')
diff --git a/README.md b/README.md
index 4a04671..a766235 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,7 @@ ant -f build-applet.xml build -Dcap=ectester221.cap
2. Run `java -jar dist/ECTesterReader.jar -t`.
3. Inspect output log with annotated results.
-Following operations are tested in the default suite:
+Following operations are tested in the default test suite:
- Allocation of new KeyPair class for specified parameters
- Generation of KeyPair with default curve
- Setting of custom curve and KeyPair generation
@@ -137,7 +137,7 @@ For format of this file see [FORMAT](docs/FORMAT.md).
#### Test
`-t / --test [test_suite]`
-Perform support,performance and vulnerability tests of ECC.
+Perform support, performance and vulnerability tests of ECC.
To select which tests will be performed, it is possible to enter the test suite name with a suffix
which specifies the number of the first test to be run, and optionally the number of the last test to be run as `-t [:start_index[:stop_index]]`.
@@ -149,15 +149,19 @@ For more info about the test suites see [TESTS](docs/TESTS.md).
#### Generate
`-g / --generate [amount]`
-Generates batches of EC keypairs and exports them.
+Generates batch of EC keypairs and exports them.
+
Use with `-o / --output [out_file]` to output the generated keys to a file.
+Use with `--time` to measure time as a difference of real duration of the operation and the dry-run duration of the operation.
For format of this file see [FORMAT](docs/FORMAT.md).
#### ECDH
`-dh / --ecdh [count]`
Performs ECDH.
+
Use with `-o / --output [out_file]` to output into a file.
+Use with `--time` to measure time as a difference of real duration of the operation and the dry-run duration of the operation.
For format of this file see [FORMAT](docs/FORMAT.md).
Respects the KeyAgreement type specified in `-ka / --ka-type [type]`.
@@ -168,6 +172,7 @@ Respects the KeyAgreement type specified in `-ka / --ka-type [type]`.
Performs ECDSA.
Useful with `-i / --input [in_file]` to sign the contents of a file.
Use with `-o / --output [out_file]` to output into a file.
+Use with `--time` to measure time as a difference of real duration of the operation and the dry-run duration of the operation.
For format of these files see [FORMAT](docs/FORMAT.md).
Respects the Signature type specified in `-sig / --sig-type [type]`.
@@ -175,9 +180,7 @@ Respects the Signature type specified in `-sig / --sig-type [type]`.
`-ln / --list-named []`
Lists categories of curves, keys and keypairs embedded in ECTester's jar, along with some information about them.
-These can be used as arguments to the `-n[c|k|pub|priv] / --named-[curve|key|public|private]` parameters.
-
-With the format: `category/name`.
+These can be used as arguments to the `-n[c|k|pub|priv] / --named-[curve|key|public|private]` parameters, using the format: `category/name`.
For example:
`secg/secp192r1` identifies the SECG 192 bit prime field curve known as `secp192r1`.
@@ -197,9 +200,10 @@ Get and print ECTester applet info from an applet installed on a card.
Outputs:
- ECTester applet version
- - ECTester APDU support
+ - ECTester APDU support (basic/extended APDU)
- JavaCard API version
- JavaCard cleanup support
+ - ECTester internal array sizes and APDU buffer size
### Example
diff --git a/docs/FORMAT.md b/docs/FORMAT.md
index bde2543..16af130 100644
--- a/docs/FORMAT.md
+++ b/docs/FORMAT.md
@@ -1,6 +1,14 @@
# Format
ECTester mostly reads/outputs data in either human-readable format or using CSV.
+## Test runs
+By default test runs are output in a human readable format, however YAML and XML is also supported and can be selected
+by using the `--format` option. Also, prefixing the output file name when using the `-o/--output` option allows to output
+the same test run in different formats to different files.
+
+For example:
+`--format yaml -o default_output.yaml -o xml:output_file.xml -o text:readable_text_file.txt `
+
## Curves
Input files for the `-c/--curve` option should be in CSV, little-endian hexadecimal format.
Output of the `-e/--export` option will also be in this format.
@@ -42,22 +50,37 @@ Input files for the `-k/--key`, `-pub/--public` and `-priv/--private` options sh
## Key generation output(CSV)
Output of the `-g/--generate` option.
-`index;time;pubW;privS`
+For ECTesterReader this has the format:
+
+`index;genTime[milli];exportTime[milli];pubW;privS` where `pubW` is the public key used in ANSI X9.62 format,
+`privS` is the private key, `genTime` is the time required to generate the keypair and `exportTime` is the time required to export it (send it to the reader).
+
+For ECTesterStandalone:
+
+`index;time[nano];pubW;privS`
## KeyAgreement output(CSV)
Output of the `-dh/--ecdh` option.
-`index;time;pubW;privS;secret`
+For ECTesterReader this has the format:
+
+`index;time[milli];pubW;privS;secret` where `pubW` is the public key used in ANSI X9.62 format, `privS` is the private key
+and `secret` is the KeyAgreement result.
+
+For ECTesterStandalone this has the format: and the same meaning as for ECTesterReader.
+
+`index;time[nano];pubW;privS;secret` and the same meaning as for ECTesterReader.
## Signature output(CSV)
Output of the `-dsa/--ecdsa` option.
-`index;time;signature`
+For ECTesterReader this has the format:
-## Test runs
-By default test runs are output in a human readable format, however YAML and XML is also supported and can be selected
-by using the `--format` option. Also, prefixing the output file name when using the `-o/--output` option allows to output
-the same test run in different formats to different files.
+`index;signTime[milli];verifyTime[milli];data;pubW;privS;signature;nonce;valid` where `pubW` is the public key used
+in ANSI X9.62 format, `privS` is the private key, `signTime` and `verifyTime` are the durations of the sign and verify operations,
+`data` is the signed data (if available), `signature` is the produced signature, `nonce` is the `k` (nonce) value recovered from the signature
+abd the private key (if possible), `valid` denotes the verification result.
-For example:
-`--format yaml -o default_output.yaml -o xml:output_file.xml -o text:readable_text_file.txt `
+For ECTesterStandalone this has the format:
+
+ `index;signTime[nano];verifyTime[nano];data;pubW;privS;signature;nonce;verified` and the same meaning as for ECTesterReader.
\ No newline at end of file
diff --git a/docs/TESTS.md b/docs/TESTS.md
index 25f61a8..a2d3642 100644
--- a/docs/TESTS.md
+++ b/docs/TESTS.md
@@ -17,7 +17,7 @@
confirmation before running, be cautious.**
## Default
-Tests the default curves present on the card. These might not be present or the card might not even support ECC.
+Tests support for ECC and the presence of default curves on the target. These might not be present or the target might not even support ECC.
Tests keypair allocation, generation, ECDH and ECDSA. ECDH is first tested with two valid generated keypairs, then
with a compressed public key to test support for compressed points.
@@ -25,7 +25,7 @@ This test suite is run if no argument is provided to `-t / --test`.
## Test-Vectors
-Tests using known test vectors provided by NIST/SECG/Brainpool:
+Tests ECDH using known test vectors provided by NIST/SECG/Brainpool:
[SECG - GEC2](http://read.pudn.com/downloads168/doc/772358/TestVectorsforSEC%201-gec2.pdf)
@@ -37,8 +37,12 @@ Tests using known test vectors provided by NIST/SECG/Brainpool:
## Compression
-Tests support for compression of public points in ECDH as specified in ANSI X9.62. Tests ECDH with points in compressed
-and hybrid form. Also tests card response to a hybrid point with wrong `y` coordinate and to the point at infinity(as public key in ECDH).
+Tests support for compression of public points in ECDH as specified in ANSI X9.62. The standard specifies two forms of point compression,
+fully compressed point contains the `x` coordinate and one bit of the `y` coordinate, from which the whole point can be reconstructed, hybrid form
+of a compressed point contains both the `x` and `y` coordinates but also one bit of the `y` coordinate.
+
+Tests ECDH with points in compressed and hybrid form. Also tests target response to a hybrid point with wrong `y` coordinate and to the point at infinity(as public key in ECDH).
+Tests ECDH with invalid compressed point, where `x` does not lie on the curve.
- Compressed form, valid
- Hybrid form, valid
@@ -48,29 +52,35 @@ and hybrid form. Also tests card response to a hybrid point with wrong `y` coord
## Miscellaneous
-Some miscellaneous tests, tries ECDH and ECDSA over supersingular curves, anomalous curves and Barreto-Naehrig curves with small embedding degree and CM discriminant.
+Some miscellaneous tests, tries ECDH and ECDSA over super-singular curves, anomalous curves and Barreto-Naehrig curves with small embedding degree and CM discriminant.
+Also tests ECDH over MNT curves, M curves and Curve25519 transformed into short Weierstrass form.
## Signature
-Tests ECDSA verification, with invalid signatures.
-
- - Well-formed(DER) invalid signatures:
- - r = random, s = random
- - r = 0, s = random
- - r = random, s = 0
- - r = 1, s = random
- - r = random, s = 1
- - r = 0, s = 0
- - r = 0, s = 1
- - r = 1, s = 0
- - r = 1, s = 1
- - s = p
- - s = 2 * p
- - Invalid signatures:
- - Signature shorter than specified in ASN.1 SEQUENCE header.
- - Signature longer than specified in ASN.1 SEQUENCE header.
- - r shorter/longer than specified in its ASN.1 header.
- - s shorter/longer than specified in its ASN.1 header.
+Tests ECDSA verification, with well-formed but invalid and malformed signatures.
+
+- Well-formed(DER) invalid signatures:
+ - r = random, s = random
+ - r = 0, s = random
+ - r = random, s = 0
+ - r = 1, s = random
+ - r = random, s = 1
+ - r = 0, s = 0
+ - r = 0, s = 1
+ - r = 1, s = 0
+ - r = 1, s = 1
+ - r = random, s = p
+ - r = random, s = 2 * p
+- Invalid signatures:
+ - Signature shorter than specified in ASN.1 SEQUENCE header.
+ - Signature longer than specified in ASN.1 SEQUENCE header.
+ - r shorter/longer than specified in its ASN.1 header.
+ - s shorter/longer than specified in its ASN.1 header.
+ - ASN.1 SEQUENCE has indefinite length.
+ - ASN.1 SEQUENCE has length that will overflow a 16 bit integer.
+ - ASN.1 SEQUENCE has length that will overflow a 32 bit integer.
+ - ASN.1 SEQUENCE has length that will overflow a 64 bit integer.
+- Test verifying a valid signature, but with a negated public key.
## Wrong
@@ -104,7 +114,7 @@ This test suite also does some additional tests with corrupting the parameters:
## Composite
Tests using curves that don't have a prime order/nearly prime order.
-These tests should generally fail, a success here implies the card will use a non-secure curve if such curve is set
+These tests should generally fail, a success here implies the target will use a non-secure curve if such curve is set
by the applet. Operations over such curves are susceptible to small-subgroup attacks.
- r = quite a smooth number, many small factors, r = \|G\|
@@ -121,29 +131,29 @@ by the applet. Operations over such curves are susceptible to small-subgroup att
## Invalid
Tests using known named curves from several categories(SECG/NIST/Brainpool) against pre-generated *invalid* public keys.
-ECDH should definitely fail, a success here implies the card is susceptible to invalid curve attacks.
+ECDH should definitely fail, a success here implies the target is susceptible to invalid curve attacks.
See [Practical Invalid Curve Attacks on TLS-ECDH](https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/09/14/main-full.pdf) for more information.
## Twist
Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on twists of said curves.
-ECDH should fail, a success here implies the card is not twist secure, if a curve with an unsecure twist is used,
-the card might compute on the twist, if a point on the twist is supplied.
+ECDH should fail, a success here implies the target is not twist secure, if a curve with an unsecure twist is used,
+the target might compute on the twist, if a point on the twist is supplied.
See [SafeCurves on twist security](https://safecurves.cr.yp.to/twist.html) for more information.
## Degenerate
Tests using known named curves froms several categories(SECG/NIST) against pre-generated points on the degenerate line
-`Y: x = 0`. ECDH should fail, a success here might mean the card does not check that the point lies on the correct curve
+`Y: x = 0`. ECDH should fail, a success here might mean the target does not check that the point lies on the correct curve
and uses a curve model vulnerable to such degenerate points.
See [Degenerate Curve Attacks - Extending Invalid Curve Attacks to Edwards Curves and Other Models](https://eprint.iacr.org/2015/1233.pdf) for more information.
## Cofactor
-Tests whether the card correctly rejects points that lie on the curve but not on the subgroup generated by the specified generator
+Tests whether the target correctly rejects points that lie on the curve but not on the subgroup generated by the specified generator
during ECDH. Does this with curves where the cofactor subgroup has small order, then with curves that have order equal to the product
of two large primes, sets the generator with order of one prime and tries points on the subgroup of the other prime order.
@@ -166,6 +176,7 @@ Custom edge-case private key values over SECG curves are tested:
- s < r, s = r, s > r
- s = r - 1, s = r + 1
- s = k\*r - 1, s = k\*r, s = k\*r + 1
+ - s = 111111...1111, s = 101010...1010, s = 010101...0101
- s around r (s < r, on a curve where \|r\| > \|p\|)
- s around p (on a curve where where \|r\| > \|p\|)
- s around 0 (s > 0, on a curve where \|r\| > \|p\|)
diff --git a/src/cz/crcs/ectester/reader/ECTesterReader.java b/src/cz/crcs/ectester/reader/ECTesterReader.java
index 6e1d508..a255b18 100644
--- a/src/cz/crcs/ectester/reader/ECTesterReader.java
+++ b/src/cz/crcs/ectester/reader/ECTesterReader.java
@@ -369,6 +369,8 @@ public class ECTesterReader {
System.out.println("\t" + line);
}
}
+ System.out.println();
+ System.out.println("For more information, look at the documentation at https://github.com/crocs-muni/ECTester.");
}
private void info() throws CardException {
@@ -444,7 +446,7 @@ public class ECTesterReader {
respWriter.outputResponse(allocate);
OutputStreamWriter keysFile = FileUtil.openFiles(cfg.outputs);
- keysFile.write("index;genTime;exportTime;pubW;privS\n");
+ keysFile.write("index;genTime[milli];exportTime[milli];pubW;privS\n");
int generated = 0;
int retry = 0;
diff --git a/src/cz/crcs/ectester/reader/test/CardCofactorSuite.java b/src/cz/crcs/ectester/reader/test/CardCofactorSuite.java
index 172c8af..5c22607 100644
--- a/src/cz/crcs/ectester/reader/test/CardCofactorSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardCofactorSuite.java
@@ -25,7 +25,8 @@ import static cz.crcs.ectester.common.test.Result.ExpectedValue;
*/
public class CardCofactorSuite extends CardTestSuite {
public CardCofactorSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
- super(writer, cfg, cardManager, "cofactor", "The cofactor test suite tests whether the card correctly rejects points on the curve but not in the subgroup generated by the generator during ECDH.");
+ super(writer, cfg, cardManager, "cofactor", "The cofactor test suite tests whether the card correctly rejects points on the curve",
+ "but not in the subgroup generated by the generator(so of small order, dividing the cofactor) during ECDH.");
}
@Override
diff --git a/src/cz/crcs/ectester/reader/test/CardCompositeSuite.java b/src/cz/crcs/ectester/reader/test/CardCompositeSuite.java
index 4bf9290..d987e05 100644
--- a/src/cz/crcs/ectester/reader/test/CardCompositeSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardCompositeSuite.java
@@ -25,7 +25,8 @@ import static cz.crcs.ectester.common.test.Result.ExpectedValue;
public class CardCompositeSuite extends CardTestSuite {
public CardCompositeSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
- super(writer, cfg, cardManager, "composite", "The composite suite runs ECDH over curves with composite order. This should generally fail, as using such a curve is unsafe.");
+ super(writer, cfg, cardManager, "composite", "The composite suite runs ECDH over curves with composite order.",
+ "Various types of compositeness is tested: smooth numbers, Carmichael pseudoprime, prime square, product of two large primes.");
}
@Override
diff --git a/src/cz/crcs/ectester/reader/test/CardCompressionSuite.java b/src/cz/crcs/ectester/reader/test/CardCompressionSuite.java
index 291cc04..c86c0b1 100644
--- a/src/cz/crcs/ectester/reader/test/CardCompressionSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardCompressionSuite.java
@@ -29,7 +29,9 @@ import java.util.Map;
public class CardCompressionSuite extends CardTestSuite {
public CardCompressionSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
super(writer, cfg, cardManager, "compression", "The compression test suite tests cards support for compressed points in ECDH (as per ANSI X9.62).",
- "It also tests for handling of bogus input by using the point at infinity and a hybrid point with the y coordinate corrupted.");
+ "It also tests for handling of bogus input in ECDH by using the point at infinity and a hybrid point with the y coordinate corrupted.",
+ "It also tests handling of compressed point in ECDH, where the x coordinate is invalid and therefore",
+ "a quadratic non-residue will be computed and (square root-ed) during decompression.");
}
@Override
diff --git a/src/cz/crcs/ectester/reader/test/CardDefaultSuite.java b/src/cz/crcs/ectester/reader/test/CardDefaultSuite.java
index f42af23..29e2ef9 100644
--- a/src/cz/crcs/ectester/reader/test/CardDefaultSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardDefaultSuite.java
@@ -29,7 +29,7 @@ import static cz.crcs.ectester.common.test.Result.Value;
public class CardDefaultSuite extends CardTestSuite {
public CardDefaultSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
- super(writer, cfg, cardManager, "default", "The default test suite tests basic support of ECDH and ECDSA.");
+ super(writer, cfg, cardManager, "default", "The default test suite tests basic support and performance of ECDH and ECDSA.");
}
@Override
diff --git a/src/cz/crcs/ectester/reader/test/CardDegenerateSuite.java b/src/cz/crcs/ectester/reader/test/CardDegenerateSuite.java
index 755c746..730c70b 100644
--- a/src/cz/crcs/ectester/reader/test/CardDegenerateSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardDegenerateSuite.java
@@ -25,7 +25,7 @@ public class CardDegenerateSuite extends CardTestSuite {
public CardDegenerateSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
super(writer, cfg, cardManager, "degenerate", "The degenerate suite tests whether the card rejects points outside of the curve during ECDH.",
- "The tested points lie on a part of the plane for which some Edwards, Hessian and Huff form addition formulas work.");
+ "The tested points lie on a part of the plane for which some Edwards, Hessian and Huff form addition formulas degenerate into exponentiation in the base finite field.");
}
@Override
diff --git a/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java b/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
index 39eaf07..f5ea86f 100644
--- a/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardEdgeCasesSuite.java
@@ -33,6 +33,7 @@ public class CardEdgeCasesSuite extends CardTestSuite {
public CardEdgeCasesSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
super(writer, cfg, cardManager, "edge-cases", "The edge-cases test suite tests various inputs to ECDH which may cause an implementation to achieve a certain edge-case state during it.",
"Some of the data is from the google/Wycheproof project. Tests include CVE-2017-10176 and CVE-2017-8932.",
+ "Also tests values of the private key and public key that would trigger the OpenSSL modualr multiplication bug on the P-256 curve.",
"Various edge private key values are also tested.");
}
diff --git a/src/cz/crcs/ectester/reader/test/CardSignatureSuite.java b/src/cz/crcs/ectester/reader/test/CardSignatureSuite.java
index 20546c8..0fa58d3 100644
--- a/src/cz/crcs/ectester/reader/test/CardSignatureSuite.java
+++ b/src/cz/crcs/ectester/reader/test/CardSignatureSuite.java
@@ -22,7 +22,7 @@ import java.util.Map;
*/
public class CardSignatureSuite extends CardTestSuite {
public CardSignatureSuite(TestWriter writer, ECTesterReader.Config cfg, CardMngr cardManager) {
- super(writer, cfg, cardManager, "signature", "Test verifying various wrong ECDSA values.");
+ super(writer, cfg, cardManager, "signature", "The signature test suite tests verifying various malformed and well-formed but invalid ECDSA signatures.");
}
@Override
--
cgit v1.2.3-70-g09d2
From d9108d4a036363d26d8d83153e98d52e62d1be04 Mon Sep 17 00:00:00 2001
From: J08nY
Date: Tue, 19 Feb 2019 22:24:53 +0100
Subject: Workaround for a Java bug...
---
docs/TESTS.md | 10 +++++-----
src/cz/crcs/ectester/data/cofactor/cofactor128p56467.csv | 1 +
src/cz/crcs/ectester/data/cofactor/cofactor128p65521.csv | 1 +
src/cz/crcs/ectester/data/cofactor/cofactor128p65535.csv | 1 +
src/cz/crcs/ectester/data/invalid/secg/secp128r1.xml | 6 +++---
src/cz/crcs/ectester/reader/command/Command.java | 15 ++++++++++-----
6 files changed, 21 insertions(+), 13 deletions(-)
create mode 100644 src/cz/crcs/ectester/data/cofactor/cofactor128p56467.csv
create mode 100644 src/cz/crcs/ectester/data/cofactor/cofactor128p65521.csv
create mode 100644 src/cz/crcs/ectester/data/cofactor/cofactor128p65535.csv
(limited to 'docs')
diff --git a/docs/TESTS.md b/docs/TESTS.md
index a2d3642..5d32d9d 100644
--- a/docs/TESTS.md
+++ b/docs/TESTS.md
@@ -101,9 +101,9 @@ This test suite also does some additional tests with corrupting the parameters:
- G = infinity
- r = 0
- r = 1
- - r = some prime larger than original r (and \[r\]G != infinity)
- - r = some prime smaller than original r (and \[r\]G != infninity)
- - r = some composite number (and \[r\]G != infinity)
+ - r = some prime larger than original r (and [r]G != infinity)
+ - r = some prime smaller than original r (and [r]G != infninity)
+ - r = some composite number (and [r]G != infinity)
- k = 0xff
- k = 0
@@ -123,10 +123,10 @@ by the applet. Operations over such curves are susceptible to small-subgroup att
This is performed over a 160 bit field size, in two passes:
- First pass tests the full range from 2 bits to 152, with more frequent tests towards the beginning and end.
- The second pass tests the range 140 - 158 bits with one bit steps.
-
+
- r = p * q = \|G\|
- r = G = Carmichael number = p * q * s
- - \[r\]G = infinity but r != \|G\|, so \|G\| divides r
+ - [r]G = infinity but r != \|G\|, so \|G\| divides r
## Invalid
diff --git a/src/cz/crcs/ectester/data/cofactor/cofactor128p56467.csv b/src/cz/crcs/ectester/data/cofactor/cofactor128p56467.csv
new file mode 100644
index 0000000..193f6a7
--- /dev/null
+++ b/src/cz/crcs/ectester/data/cofactor/cofactor128p56467.csv
@@ -0,0 +1 @@
+0xe8e100a50b479105f40c312de4bc7127,0x854c8cdc7389dbb3da8a949ce4598ebe,0x4e592cbd1471bba6dec1106cfa99f969,0x7a6c7f7f8305853831d7c99dd23b03aa,0xa3ad04379cb4789bd64e7d99a7874e0b,0x00010e47ea4c399c7ddb49c9915c3b5d,0xdc93
\ No newline at end of file
diff --git a/src/cz/crcs/ectester/data/cofactor/cofactor128p65521.csv b/src/cz/crcs/ectester/data/cofactor/cofactor128p65521.csv
new file mode 100644
index 0000000..80a1eb3
--- /dev/null
+++ b/src/cz/crcs/ectester/data/cofactor/cofactor128p65521.csv
@@ -0,0 +1 @@
+0xdc068a34e30288e08b495798af63ebc7,0xdc068a34e3027b1ccb5209bee1c3ebc7,0xdc054fb5cb170758f9fe7d1b5f63ebc7,0xc0d6edec3ac87edf8499d1885fd03e7b,0x81cb302f36ecd3ff93cd6314ce059e14,0x0000dc136f586930b2b948e64bb6e653,0xfff1
\ No newline at end of file
diff --git a/src/cz/crcs/ectester/data/cofactor/cofactor128p65535.csv b/src/cz/crcs/ectester/data/cofactor/cofactor128p65535.csv
new file mode 100644
index 0000000..54da6cc
--- /dev/null
+++ b/src/cz/crcs/ectester/data/cofactor/cofactor128p65535.csv
@@ -0,0 +1 @@
+0xdd94e89ef3fba74afc2a67cb91546a93,0x6cf4828ab4960df2b9fcab3990e3959a,0x80a5c32206c83f769c5ed3e4f5b2ea4e,0xd7a4bb4b7e9ad9e81895caeaeac8b739,0x45ebc51cf353974b02b36b9912de041b,0x0000dd95c634ba30617af48fd4eb321b,0xffff
\ No newline at end of file
diff --git a/src/cz/crcs/ectester/data/invalid/secg/secp128r1.xml b/src/cz/crcs/ectester/data/invalid/secg/secp128r1.xml
index 8903688..e010003 100644
--- a/src/cz/crcs/ectester/data/invalid/secg/secp128r1.xml
+++ b/src/cz/crcs/ectester/data/invalid/secg/secp128r1.xml
@@ -85,7 +85,7 @@
secp128r1/14
- 0x98b36c442de5c741c70fa80a31d72fa,0x251e9a04ffe799cf4776575be582f108
+ 0x098b36c442de5c741c70fa80a31d72fa,0x251e9a04ffe799cf4776575be582f108
secg/secp128r1
invalid order = 47
@@ -109,7 +109,7 @@
secp128r1/18
- 0x9ce43ec4dcaf95993d8ab00efcc7199a,0x7fb6d895c27bc326a33cb8111e865a9
+ 0x9ce43ec4dcaf95993d8ab00efcc7199a,0x07fb6d895c27bc326a33cb8111e865a9
secg/secp128r1
invalid order = 67
@@ -139,7 +139,7 @@
secp128r1/23
- 0x6803013e75597fb7f83f1f8681af11d,0x32490d391f8a2b1de83212dd218b3a5a
+ 0x06803013e75597fb7f83f1f8681af11d,0x32490d391f8a2b1de83212dd218b3a5a
secg/secp128r1
invalid order = 89
diff --git a/src/cz/crcs/ectester/reader/command/Command.java b/src/cz/crcs/ectester/reader/command/Command.java
index ce35fcc..1ebd8bb 100644
--- a/src/cz/crcs/ectester/reader/command/Command.java
+++ b/src/cz/crcs/ectester/reader/command/Command.java
@@ -29,6 +29,11 @@ import java.util.List;
public abstract class Command implements Cloneable {
CommandAPDU cmd;
CardMngr cardManager;
+ // Workaround for a stupid Java bug that went unfixed for !12! years,
+ // and for the even more stupid module system, which cannot properly work
+ // with the fact that JCardSim has some java.* packages...
+ final byte[] GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM = new byte[]{0};
+
Command(CardMngr cardManager) {
this.cardManager = cardManager;
@@ -336,7 +341,7 @@ public abstract class Command implements Cloneable {
super(cardManager);
this.keyPair = keyPair;
- this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_CLEAR, keyPair, 0x00);
+ this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_CLEAR, keyPair, 0x00, GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM);
}
@Override
@@ -486,7 +491,7 @@ public abstract class Command implements Cloneable {
super(cardManager);
this.keyPair = keyPair;
- this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_GENERATE, keyPair, 0);
+ this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_GENERATE, keyPair, 0, GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM);
}
@Override
@@ -858,7 +863,7 @@ public abstract class Command implements Cloneable {
public Cleanup(CardMngr cardManager) {
super(cardManager);
- this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_CLEANUP, 0, 0);
+ this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_CLEANUP, 0, 0, GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM);
}
@Override
@@ -886,7 +891,7 @@ public abstract class Command implements Cloneable {
public GetInfo(CardMngr cardManager) {
super(cardManager);
- this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_GET_INFO, 0, 0);
+ this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_GET_INFO, 0, 0, GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM);
}
@Override
@@ -917,7 +922,7 @@ public abstract class Command implements Cloneable {
super(cardManager);
this.dryRunMode = dryRunMode;
- this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_SET_DRY_RUN_MODE, dryRunMode, 0);
+ this.cmd = new CommandAPDU(ECTesterApplet.CLA_ECTESTERAPPLET, ECTesterApplet.INS_SET_DRY_RUN_MODE, dryRunMode, 0, GOD_DAMN_JAVA_BUG_6474858_AND_GOD_DAMN_JAVA_12_MODULE_SYSTEM);
}
@Override
--
cgit v1.2.3-70-g09d2