1*b077aed3SPierre Pronchery=pod 2*b077aed3SPierre Pronchery 3*b077aed3SPierre Pronchery=head1 NAME 4*b077aed3SPierre Pronchery 5*b077aed3SPierre ProncheryEVP_PKEY-FFC - EVP_PKEY DSA and DH/DHX shared FFC parameters. 6*b077aed3SPierre Pronchery 7*b077aed3SPierre Pronchery=head1 DESCRIPTION 8*b077aed3SPierre Pronchery 9*b077aed3SPierre ProncheryFinite field cryptography (FFC) is a method of implementing discrete logarithm 10*b077aed3SPierre Proncherycryptography using finite field mathematics. DSA is an example of FFC and 11*b077aed3SPierre ProncheryDiffie-Hellman key establishment algorithms specified in SP800-56A can also be 12*b077aed3SPierre Proncheryimplemented as FFC. 13*b077aed3SPierre Pronchery 14*b077aed3SPierre ProncheryThe B<DSA>, B<DH> and B<DHX> keytypes are implemented in OpenSSL's default and 15*b077aed3SPierre ProncheryFIPS providers. 16*b077aed3SPierre ProncheryThe implementations support the basic DSA, DH and DHX keys, containing the public 17*b077aed3SPierre Proncheryand private keys I<pub> and I<priv> as well as the three main domain parameters 18*b077aed3SPierre ProncheryI<p>, I<q> and I<g>. 19*b077aed3SPierre Pronchery 20*b077aed3SPierre ProncheryFor B<DSA> (and B<DH> that is not a named group) the FIPS186-4 standard 21*b077aed3SPierre Proncheryspecifies that the values used for FFC parameter generation are also required 22*b077aed3SPierre Proncheryfor parameter validation. 23*b077aed3SPierre ProncheryThis means that optional FFC domain parameter values for I<seed>, I<pcounter> 24*b077aed3SPierre Proncheryand I<gindex> may need to be stored for validation purposes. 25*b077aed3SPierre ProncheryFor B<DH> the I<seed> and I<pcounter> can be stored in ASN1 data 26*b077aed3SPierre Pronchery(but the I<gindex> is not). For B<DSA> however, these fields are not stored in 27*b077aed3SPierre Proncherythe ASN1 data so they need to be stored externally if validation is required. 28*b077aed3SPierre Pronchery 29*b077aed3SPierre ProncheryThe B<DH> key type uses PKCS#3 format which saves p and g, but not the 'q' value. 30*b077aed3SPierre ProncheryThe B<DHX> key type uses X9.42 format which saves the value of 'q' and this 31*b077aed3SPierre Proncherymust be used for FIPS186-4. 32*b077aed3SPierre Pronchery 33*b077aed3SPierre Pronchery=head2 FFC parameters 34*b077aed3SPierre Pronchery 35*b077aed3SPierre ProncheryIn addition to the common parameters that all keytypes should support (see 36*b077aed3SPierre ProncheryL<provider-keymgmt(7)/Common parameters>), the B<DSA>, B<DH> and B<DHX> keytype 37*b077aed3SPierre Proncheryimplementations support the following. 38*b077aed3SPierre Pronchery 39*b077aed3SPierre Pronchery=over 4 40*b077aed3SPierre Pronchery 41*b077aed3SPierre Pronchery=item "pub" (B<OSSL_PKEY_PARAM_PUB_KEY>) <unsigned integer> 42*b077aed3SPierre Pronchery 43*b077aed3SPierre ProncheryThe public key value. 44*b077aed3SPierre Pronchery 45*b077aed3SPierre Pronchery=item "priv" (B<OSSL_PKEY_PARAM_PRIV_KEY>) <unsigned integer> 46*b077aed3SPierre Pronchery 47*b077aed3SPierre ProncheryThe private key value. 48*b077aed3SPierre Pronchery 49*b077aed3SPierre Pronchery=back 50*b077aed3SPierre Pronchery 51*b077aed3SPierre Pronchery=head2 FFC DSA, DH and DHX domain parameters 52*b077aed3SPierre Pronchery 53*b077aed3SPierre Pronchery=over 4 54*b077aed3SPierre Pronchery 55*b077aed3SPierre Pronchery=item "p" (B<OSSL_PKEY_PARAM_FFC_P>) <unsigned integer> 56*b077aed3SPierre Pronchery 57*b077aed3SPierre ProncheryA DSA or Diffie-Hellman prime "p" value. 58*b077aed3SPierre Pronchery 59*b077aed3SPierre Pronchery=item "g" (B<OSSL_PKEY_PARAM_FFC_G>) <unsigned integer> 60*b077aed3SPierre Pronchery 61*b077aed3SPierre ProncheryA DSA or Diffie-Hellman generator "g" value. 62*b077aed3SPierre Pronchery 63*b077aed3SPierre Pronchery=back 64*b077aed3SPierre Pronchery 65*b077aed3SPierre Pronchery=head2 FFC DSA and DHX domain parameters 66*b077aed3SPierre Pronchery 67*b077aed3SPierre Pronchery=over 4 68*b077aed3SPierre Pronchery 69*b077aed3SPierre Pronchery=item "q" (B<OSSL_PKEY_PARAM_FFC_Q>) <unsigned integer> 70*b077aed3SPierre Pronchery 71*b077aed3SPierre ProncheryA DSA or Diffie-Hellman prime "q" value. 72*b077aed3SPierre Pronchery 73*b077aed3SPierre Pronchery=item "seed" (B<OSSL_PKEY_PARAM_FFC_SEED>) <octet string> 74*b077aed3SPierre Pronchery 75*b077aed3SPierre ProncheryAn optional domain parameter I<seed> value used during generation and validation 76*b077aed3SPierre Proncheryof I<p>, I<q> and canonical I<g>. 77*b077aed3SPierre ProncheryFor validation this needs to set the I<seed> that was produced during generation. 78*b077aed3SPierre Pronchery 79*b077aed3SPierre Pronchery=item "gindex" (B<OSSL_PKEY_PARAM_FFC_GINDEX>) <integer> 80*b077aed3SPierre Pronchery 81*b077aed3SPierre ProncherySets the index to use for canonical generation and verification of the generator 82*b077aed3SPierre ProncheryI<g>. 83*b077aed3SPierre ProncherySet this to a positive value from 0..FF to use this mode. This I<gindex> can 84*b077aed3SPierre Proncherythen be reused during key validation to verify the value of I<g>. If this value 85*b077aed3SPierre Proncheryis not set or is -1 then unverifiable generation of the generator I<g> will be 86*b077aed3SPierre Proncheryused. 87*b077aed3SPierre Pronchery 88*b077aed3SPierre Pronchery=item "pcounter" (B<OSSL_PKEY_PARAM_FFC_PCOUNTER>) <integer> 89*b077aed3SPierre Pronchery 90*b077aed3SPierre ProncheryAn optional domain parameter I<counter> value that is output during generation 91*b077aed3SPierre Proncheryof I<p>. This value must be saved if domain parameter validation is required. 92*b077aed3SPierre Pronchery 93*b077aed3SPierre Pronchery=item "hindex" (B<OSSL_PKEY_PARAM_FFC_H>) <integer> 94*b077aed3SPierre Pronchery 95*b077aed3SPierre ProncheryFor unverifiable generation of the generator I<g> this value is output during 96*b077aed3SPierre Proncherygeneration of I<g>. Its value is the first integer larger than one that 97*b077aed3SPierre Proncherysatisfies g = h^j mod p (where g != 1 and "j" is the cofactor). 98*b077aed3SPierre Pronchery 99*b077aed3SPierre Pronchery=item "j" (B<OSSL_PKEY_PARAM_FFC_COFACTOR>) <unsigned integer> 100*b077aed3SPierre Pronchery 101*b077aed3SPierre ProncheryAn optional informational cofactor parameter that should equal to (p - 1) / q. 102*b077aed3SPierre Pronchery 103*b077aed3SPierre Pronchery=item "validate-pq" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_PQ>) <unsigned integer> 104*b077aed3SPierre Pronchery 105*b077aed3SPierre Pronchery=item "validate-g" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_G>) <unsigned integer> 106*b077aed3SPierre Pronchery 107*b077aed3SPierre ProncheryThese boolean values are used during FIPS186-4 or FIPS186-2 key validation checks 108*b077aed3SPierre Pronchery(See L<EVP_PKEY_param_check(3)>) to select validation options. By default 109*b077aed3SPierre ProncheryI<validate-pq> and I<validate-g> are both set to 1 to check that p,q and g are 110*b077aed3SPierre Proncheryvalid. Either of these may be set to 0 to skip a test, which is mainly useful 111*b077aed3SPierre Proncheryfor testing purposes. 112*b077aed3SPierre Pronchery 113*b077aed3SPierre Pronchery=item "validate-legacy" (B<OSSL_PKEY_PARAM_FFC_VALIDATE_LEGACY>) <unsigned integer> 114*b077aed3SPierre Pronchery 115*b077aed3SPierre ProncheryThis boolean value is used during key validation checks 116*b077aed3SPierre Pronchery(See L<EVP_PKEY_param_check(3)>) to select the validation type. The default 117*b077aed3SPierre Proncheryvalue of 0 selects FIPS186-4 validation. Setting this value to 1 selects 118*b077aed3SPierre ProncheryFIPS186-2 validation. 119*b077aed3SPierre Pronchery 120*b077aed3SPierre Pronchery=back 121*b077aed3SPierre Pronchery 122*b077aed3SPierre Pronchery=head2 FFC key generation parameters 123*b077aed3SPierre Pronchery 124*b077aed3SPierre ProncheryThe following key generation types are available for DSA and DHX algorithms: 125*b077aed3SPierre Pronchery 126*b077aed3SPierre Pronchery=over 4 127*b077aed3SPierre Pronchery 128*b077aed3SPierre Pronchery=item "type" (B<OSSL_PKEY_PARAM_FFC_TYPE>) <UTF8 string> 129*b077aed3SPierre Pronchery 130*b077aed3SPierre ProncherySets the type of parameter generation. The shared valid values are: 131*b077aed3SPierre Pronchery 132*b077aed3SPierre Pronchery=over 4 133*b077aed3SPierre Pronchery 134*b077aed3SPierre Pronchery=item "fips186_4" 135*b077aed3SPierre Pronchery 136*b077aed3SPierre ProncheryThe current standard. 137*b077aed3SPierre Pronchery 138*b077aed3SPierre Pronchery=item "fips186_2" 139*b077aed3SPierre Pronchery 140*b077aed3SPierre ProncheryThe old standard that should only be used for legacy purposes. 141*b077aed3SPierre Pronchery 142*b077aed3SPierre Pronchery=item "default" 143*b077aed3SPierre Pronchery 144*b077aed3SPierre ProncheryThis can choose one of "fips186_4" or "fips186_2" depending on other 145*b077aed3SPierre Proncheryparameters set for parameter generation. 146*b077aed3SPierre Pronchery 147*b077aed3SPierre Pronchery=back 148*b077aed3SPierre Pronchery 149*b077aed3SPierre Pronchery=item "pbits" (B<OSSL_PKEY_PARAM_FFC_PBITS>) <unsigned integer> 150*b077aed3SPierre Pronchery 151*b077aed3SPierre ProncherySets the size (in bits) of the prime 'p'. 152*b077aed3SPierre Pronchery 153*b077aed3SPierre Pronchery=item "qbits" (B<OSSL_PKEY_PARAM_FFC_QBITS>) <unsigned integer> 154*b077aed3SPierre Pronchery 155*b077aed3SPierre ProncherySets the size (in bits) of the prime 'q'. 156*b077aed3SPierre Pronchery 157*b077aed3SPierre ProncheryFor "fips186_4" this can be either 224 or 256. 158*b077aed3SPierre ProncheryFor "fips186_2" this has a size of 160. 159*b077aed3SPierre Pronchery 160*b077aed3SPierre Pronchery=item "digest" (B<OSSL_PKEY_PARAM_FFC_DIGEST>) <UTF8 string> 161*b077aed3SPierre Pronchery 162*b077aed3SPierre ProncherySets the Digest algorithm to be used as part of the Key Generation Function 163*b077aed3SPierre Proncheryassociated with the given Key Generation I<ctx>. 164*b077aed3SPierre ProncheryThis must also be set for key validation. 165*b077aed3SPierre Pronchery 166*b077aed3SPierre Pronchery=item "properties" (B<OSSL_PKEY_PARAM_FFC_DIGEST_PROPS>) <UTF8 string> 167*b077aed3SPierre Pronchery 168*b077aed3SPierre ProncherySets properties to be used upon look up of the implementation for the selected 169*b077aed3SPierre ProncheryDigest algorithm for the Key Generation Function associated with the given key 170*b077aed3SPierre Proncherygeneration I<ctx>. This may also be set for key validation. 171*b077aed3SPierre Pronchery 172*b077aed3SPierre Pronchery=item "seed" (B<OSSL_PKEY_PARAM_FFC_SEED>) <octet string> 173*b077aed3SPierre Pronchery 174*b077aed3SPierre ProncheryFor "fips186_4" or "fips186_2" generation this sets the I<seed> data to use 175*b077aed3SPierre Proncheryinstead of generating a random seed internally. This should be used for 176*b077aed3SPierre Proncherytesting purposes only. This will either produce fixed values for the generated 177*b077aed3SPierre Proncheryparameters OR it will fail if the seed did not generate valid primes. 178*b077aed3SPierre Pronchery 179*b077aed3SPierre Pronchery=item "gindex" (B<OSSL_PKEY_PARAM_FFC_GINDEX>) <integer> 180*b077aed3SPierre Pronchery 181*b077aed3SPierre Pronchery=item "pcounter" (B<OSSL_PKEY_PARAM_FFC_PCOUNTER>) <integer> 182*b077aed3SPierre Pronchery 183*b077aed3SPierre Pronchery=item "hindex" (B<OSSL_PKEY_PARAM_FFC_H>) <integer> 184*b077aed3SPierre Pronchery 185*b077aed3SPierre ProncheryThese types are described above. 186*b077aed3SPierre Pronchery 187*b077aed3SPierre Pronchery=back 188*b077aed3SPierre Pronchery 189*b077aed3SPierre Pronchery=head1 CONFORMING TO 190*b077aed3SPierre Pronchery 191*b077aed3SPierre ProncheryThe following sections of SP800-56Ar3: 192*b077aed3SPierre Pronchery 193*b077aed3SPierre Pronchery=over 4 194*b077aed3SPierre Pronchery 195*b077aed3SPierre Pronchery=item 5.5.1.1 FFC Domain Parameter Selection/Generation 196*b077aed3SPierre Pronchery 197*b077aed3SPierre Pronchery=back 198*b077aed3SPierre Pronchery 199*b077aed3SPierre ProncheryThe following sections of FIPS186-4: 200*b077aed3SPierre Pronchery 201*b077aed3SPierre Pronchery=over 4 202*b077aed3SPierre Pronchery 203*b077aed3SPierre Pronchery=item A.1.1.2 Generation of Probable Primes p and q Using an Approved Hash Function. 204*b077aed3SPierre Pronchery 205*b077aed3SPierre Pronchery=item A.2.3 Generation of canonical generator g. 206*b077aed3SPierre Pronchery 207*b077aed3SPierre Pronchery=item A.2.1 Unverifiable Generation of the Generator g. 208*b077aed3SPierre Pronchery 209*b077aed3SPierre Pronchery=back 210*b077aed3SPierre Pronchery 211*b077aed3SPierre Pronchery=head1 SEE ALSO 212*b077aed3SPierre Pronchery 213*b077aed3SPierre ProncheryL<EVP_PKEY-DSA(7)>, 214*b077aed3SPierre ProncheryL<EVP_PKEY-DH(7)>, 215*b077aed3SPierre ProncheryL<EVP_SIGNATURE-DSA(7)>, 216*b077aed3SPierre ProncheryL<EVP_KEYEXCH-DH(7)> 217*b077aed3SPierre ProncheryL<EVP_KEYMGMT(3)>, 218*b077aed3SPierre ProncheryL<EVP_PKEY(3)>, 219*b077aed3SPierre ProncheryL<provider-keymgmt(7)>, 220*b077aed3SPierre ProncheryL<OSSL_PROVIDER-default(7)>, 221*b077aed3SPierre ProncheryL<OSSL_PROVIDER-FIPS(7)>, 222*b077aed3SPierre Pronchery 223*b077aed3SPierre Pronchery=head1 COPYRIGHT 224*b077aed3SPierre Pronchery 225*b077aed3SPierre ProncheryCopyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. 226*b077aed3SPierre Pronchery 227*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 228*b077aed3SPierre Proncherythis file except in compliance with the License. You can obtain a copy 229*b077aed3SPierre Proncheryin the file LICENSE in the source distribution or at 230*b077aed3SPierre ProncheryL<https://www.openssl.org/source/license.html>. 231*b077aed3SPierre Pronchery 232*b077aed3SPierre Pronchery=cut 233