You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Determine whether CrypEccEncrypt/Decrypt can be implemented with OpenSSL functions: no know API
[] Check that algorithm and command filtering is done where necessary
No: Enable SvnLimited and FirmwareLimited hierarchies? What would libtpms need to enable these?
No to FirmwareLimited: different versions of compilers compiling the same code may lead to different binaries and therefore measuring the libtpms binary may lead to different measurements even if the source is the same -- what should the firmware hash then be?
Deferring SvnLimited support
[] FIPS-compliance: Support FIPS-140-3 guidance document? How?
Easy to handle:
Disablement of algorithms (ecdaa, ecschnorr) and curves (ecc-bn, ecc-bn-p*, ecc-sm2-p*)
Min. RSA key size: rsa-min-size=2048
Min. EC key suze: ecc-min-size=224
HMAC min. key size 112 bits : are there any keys smaller than 128bits when only AES symmetric crypto is supported?
ECC and RSA signature generation not allowed with SHA1: see code in FIPS 140 branch
Others:
Does preventing ECC key derivation solve the problem of prohibiting ECDSA signatures with derived ECC keys?
XOR usage described in 5.5
Missing:
Pair-wise consistency tests for RSA are missing
SHA1 etc. are used for HMAC testing but not tested on their own
See table 39 of FIPS 140-3 guidance document
The text was updated successfully, but these errors were encountered:
Support for RuntimeAttributes as used for support of FIPS: Add support for FIPS restrictions on more crypto algorithms #428[] KDFa support via OpenSSL: unlikely to workThe text was updated successfully, but these errors were encountered: