Extending NIST’s CAVP Testing: Lessons Learned from CVE-2019-8741 (C33b)
The security of cryptography in practice relies not only on the resistance of the algorithms against cryptanalytical attacks, but also on the correctness of their implementations. NIST maintains the CAVP, which provides validation testing for the NIST-recommended cryptographic algorithms. The CAVP is a prerequisite for validating cryptographic implementations according to FIPS 140-2 under the Cryptographic Module Validation Program (CMVP). An inherent limitation of the CAVP, and of software testing in general, is that it is a selection process, whereby a very small subset is selected from the total number of possible test cases. Currently, the CAVP does not perform tests on hash functions for inputs larger than 65 535 bits. We explain why this is insufficient to detect certain vulnerabilities in widely-deployed commercial cryptography, as we discover a vulnerability (CVE-2019-8741) involving large inputs that is present in each of Apple’s CoreCrypto libraries that are validated under FIPS 140-2. The vulnerability affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authentication Code (HMAC) and the Ed25519 signature scheme. In this presentation, we discuss the vulnerability from a NIST perspective. To overcome the limitations of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT), and explain how it detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2.