(JCMVP) 24 2 29 ATR-01-D Cryptographic Algorithm Implementation Testing Requirements
1 1 1.1....................... 1 1.2....................................... 2 2 3 2.1..................................... 3 3 4 3.1..................................... 4 3.1.1 HMAC...................................... 4 3.1.2 CMAC...................................... 4 3.1.2.1..................... 4 3.1.2.1.1 (SMT)........... 4 3.1.2.1.2 (SLMT).... 5 3.1.2.1.3 (PGMT)..... 5 3.1.2.2.............. 5 3.1.3 CCM................................... 6 3.1.3.1............................ 6 3.1.3.1.1 associated data (VADT)....... 6 3.1.3.1.2 (VPT).............. 6 3.1.3.1.3 nonce (VNT)............. 6 3.1.3.1.4 (VTT)...... 6 3.1.3.2............................. 7 3.1.4 GCM/GMAC.................................. 7 3.1.4.1............................ 7 3.1.4.1.1 IV..................... 7 3.1.4.1.2 IV..................... 7 3.1.4.2............................. 8 3.1.4.3 IV uniqueness.................... 8 4 9 4.1.................................. 9 11 i
1, (JCATT)., 2. 1.1..,,.,.,.. :... :.,.,. :,.. [6], [7]., 1.1. 1.1:. 1/12
,,.,.,. 1.2. 2 :. 3 :.,. JCATT: IUT: JCATT 2/12
2. 2.1 HMAC CMAC CCM GCM/GMAC 3/12
3 3.1 HMAC, CMAC, CCM, GCM/GMAC. 3.1.1 HMAC HMAC.. (SMT) (SLMT) (PGMT), (ATR-01-C) 3 SMT, SLMT, PGMT. 3.1.2 CMAC CMAC. 3.1.2.1, HMAC CMACVS[1] SHAVS[2].. (SMT) (SLMT) (PGMT) 3.1.2.1.1 (SMT) ( ) m. SMT, m/8 + 1. 0,8,16,...,m.,. 4/12
3.1.2.1.2 (SLMT) 3.1.2.1.1, ( ) m. SLMT, m/8., m + 8 i ( Upperbound of SLMT 1), 1 i m/8,. Upperbound of SLMT.,,. 3.1.2.1.3 (PGMT) Seed, outerloop innerloop, MD[0] MD[outerloop-1].,. for (j=0; j<outerloop; j++) { MAC[0] = Seed; MAC[1] = Seed; MAC[2] = Seed; for (i=3; i<innerloop+3; i++) { M[i] = MAC[i-3] MAC[i-2] MAC[i-1]; // MAC[i] = CMAC(M[i], key); } MAC[j] = MAC[i-1]; Seed = MAC[i-1]; OUTPUT MAC[j]; } 3.1.2.2. JCATT,, IUT. JCATT,,, IUT.,,. 5/12
3.1.3 CCM CCM, CCMVS[3].. 3.1.3.1. associated data (VADT) (VPT) nonce (VNT) (VTT) 3.1.3.1.1 associated data (VADT) associated data, nonce ( ) associated data,,.,,, nonce, associated data. 3.1.3.1.2 (VPT), nonce ( ), associated data,.,,, nonce, associated data. 3.1.3.1.3 nonce (VNT) nonce, ( ) nonce,, associated data,.,,, nonce, associated data. 3.1.3.1.4 (VTT) 6/12
, nonce ( ), associated data,.,,, nonce, associated data. 3.1.3.2.,,, nonce, associated data,. INVALID,,,, nonce, associated data, INVALID.,. 3.1.4 GCM/GMAC GCM/GMAC, GCMVS[4].. 3.1.4.1 IV IV IV 3.1.4.1.1 IV IUT IV, ( ),, AAD(Additional Autheticated Data), IV. IUT Authentication Tag. JCATT, IUT Authentication Tag.,, AAD, IV. 3.1.4.1.2 IV 7/12
IUT IV, ( ),, AAD(Additional Autheticated Data). IUT IV, IV, Authentication Tag. JCATT, IUT Authentication Tag, AAD, IUT IV, Authentication Tag. IUT,, AAD,. INVALID,,, AAD, INVALID.,, AAD, IV. 3.1.4.2 JCATT ( ),, AAD, IV, Authentication Tag, Authentication Tag., Authentication Tag,, AAD, IV,. INVALID,, Authentication Tag,, AAD, IV, INVALID.,, AAD, IV,. 3.1.4.3 IV uniqueness NIST SP800-38D[5] Section 8 IV uniqueness JCATT 8/12
4 4.1,, 1,., 4.1, 4.2, 4.4. 4.1: HMAC SHA-256 SHA-1, SHA-224, SHA-256, SHA- 384, SHA-512 128 8 ( /2) 16000 Upperbound of SLMT 100 100 PGMT 1000 1000 100 100 4.2: CMAC AES AES 3-KeyTripleDES 128 AES 128,192,256. 3-KeyTripleDES 192 128 8., AES 128, 3-KeyTripleDES 64 Upperbound of SLMT 100 100 PGMT 1000 1000 100 100 AES AES 3-KeyTripleDES 128 AES 128, 192, 256. 3-KeyTripleDES 192 128 8., AES 128, 3-KeyTripleDES 64 256 8 16000 10 10 ( ) 30 1 99 9/12
4.3: CCM AES 128 128 128, 192, 256 VADT Associated data 240 8 16000 10 10 VPT 256 8 16000 10 10 VNT nonce 104 56, 64, 72, 80, 88, 96, 104 10 10 VTT 128 32, 48, 64, 80, 96, 112, 128 10 10 AES 128 128 128, 192, 256 128 32, 48, 64, 80, 96, 112, 128 256 8 16000 10 10 ( ) 30 1 99 4.4: GCM/GMAC AES 128 128 128, 192, 256 AAD 128 8 16000 256 8 16000 20 20 IV IV 96 8 8 16000 Authentication Tag 128 128, 120, 112, 104, 96, 64, 32 AES 128 128 128, 192, 256 AAD 128 8 16000 256 8 16000 20 20 IV 96 8 8 16000 Authentication Tag 128 128, 120, 112, 104, 96, 64, 32 ( ) 30 1 99 10/12
, 21 1 23, 21 1 8., 21 7 1, 21 7 10., 24 2 29, 24 6 1. [1] Sharon S. Keller, The CMAC Validation System (CMACVS), National Institute of Standards and Technology, March 30, 2006. [2] L. E. Bassham III, The secure hash algorithm validation system (SHAVS), National Institute of Standards and Technology, July 22, 2004. [3] L. E. Bassham III, The CCM validation system (CCMVS), National Institute of Standards and Technology, July 30, 2006. [4] Timothy A. Hall, Sharon S. Keller, The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS), National Institute of Standards and Technology, February 11, 2009. [5] Morris Dworkin, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, NIST SP 800-38D, National Institute of Standards and Technology, November, 2007. [6] JCATT, http://www.ipa.go.jp/security/ jcmvp/documents/open/jcatt/format/jcatt fileformat d.zip [7] JCATT, http://www.ipa.go.jp/security/jcmvp/ documents/open/jcatt/sample/jcatt sample d.zip 11/12
ATR-01-D 21 1 23 21 7 1 (HMAC-RIPEMD-160 ) 24 2 29 (GCM/GMAC ) 12/12