[openssl-users] Fwd: X9.31 RSA key generation for FIPS validation (180-4)

SecInterlocutor secinterlocutor at gmail.com
Wed May 20 10:05:03 UTC 2015

Hello again,

I am resending this email in case it's been forgotten. Is there anyone who
can help me at all?
If more information is needed, please let me know.

Many thanks.

---------- Forwarded message ----------
From: SecInterlocutor <secinterlocutor at gmail.com>
Date: Fri, May 15, 2015 at 9:44 AM
Subject: Fwd: X9.31 RSA key generation for FIPS validation (180-4)
To: openssl-users at openssl.org


Our product was FIPS-certified a few years ago. We are now about to start
the re-certification process.

The test for RSA X9.31 key generation have somewhat changed, or so it looks
like to me anyway.

A few years ago, we received test vectors with the following parameters:
modulus size, e, xp1, xp2, Xp, xq1, xq2, Xq.

The response we provided included the previous parameters and these
generated values: p, q, n, d.

We used  FIPS_rsa_x931_derive_ex()  to generate the values.

I believe this function implements section B.3.6: Generation of Probable
Primes with Conditions Based on Auxiliary Probable Primes. Prime method:
Primes p1, p2, q1,q2, p and q shall all be probable primes.

Is my assumption correct?

If so, we’d like to minimise effort and reuse our test sw for the new tests
in http://csrc.nist.gov/groups/STM/cavp/documents/dss2/rsa2vs.pdf.

I’m looking at section 6.2.1 where the parameters are: modulus size, e,
N=25 (number of iterations). It seems to me that we have to send a response
with all of the other parameters: xp1, xp2, Xp, xq1, xq2, Xq, p, q, n, d.

xp1, xp2, Xp, xq1, xq2, Xq are random numbers, some of them have to be odd.

Which function(s) do you suggest to use to generate them?

Or can I just use FIPS_rsa_x931_generate_key_ex() ? Is this used with a
fixed exponent? Does it also implement section B.3.6?

We also have to indicate to NIST the type of Probabilistic Primality Test
the (specific) OpenSSL functions use:

a)      Table C.2. Minimum number of rounds of M-R testing when generating

b)      Table C.3. Minimum number of rounds of M-R testing when generating
primes using an error probability of 2^–100

Which one(s) does OpenSSL implement? If both, how is that chosen?

Many thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150520/7c78d4c3/attachment.html>

More information about the openssl-users mailing list