Modulus reuse in FIPS

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Modulus reuse in FIPS

Eckenfels. Bernd
Hello,

In the FIPS Description document I see:

# org.bouncycastle.rsa.allow_multi_use – in approved/unapproved mode the module will attempt to block an RSA modulus from being
# used for encryption if it has been used for signing, or visa-versa. If the module is not in approved mode it is possible to stop this from
# happening by setting org.bouncycastle.rsa.allow_multi_use to true.

Does that mean I can only turn it of for threads in unapproved mode or does it mean I cannot turn it of if any thread is in approved mode, or does it apply only for keys marked as approved-generated? Or can I turn it off in all cases and how would it affect compliance state?

I also think the description in the guide is different, which one is correct?

User Guide:

# org.bouncycastle.rsa.allow_multi_use – in approved/unapproved mode the module will attempt to block an RSA modulus from being
# used for encryption if it has been used for signing, or visa- versa. It is possible to stop this from
# happening by setting org.bouncycastle.rsa.allow_multi_use to true.




--
http://www.seeburger.com








SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

Re: Modulus reuse in FIPS

David Hook-3

In 1.0.1 it is possible to have this this property to true while in
approved mode. Note that according to correct usage this can be done
solely for the  purpose of generating a certificate signing request to
allow a CA to authorize the public key (i.e. PKCS#10). Any other dual
use of an RSA key pair for encryption and signing is not FIPS compliant.

Regards,

David

On 25/04/18 16:02, Eckenfels. Bernd wrote:

> Hello,
>
> In the FIPS Description document I see:
>
> # org.bouncycastle.rsa.allow_multi_use – in approved/unapproved mode the module will attempt to block an RSA modulus from being
> # used for encryption if it has been used for signing, or visa-versa. If the module is not in approved mode it is possible to stop this from
> # happening by setting org.bouncycastle.rsa.allow_multi_use to true.
>
> Does that mean I can only turn it of for threads in unapproved mode or does it mean I cannot turn it of if any thread is in approved mode, or does it apply only for keys marked as approved-generated? Or can I turn it off in all cases and how would it affect compliance state?
>
> I also think the description in the guide is different, which one is correct?
>
> User Guide:
>
> # org.bouncycastle.rsa.allow_multi_use – in approved/unapproved mode the module will attempt to block an RSA modulus from being
> # used for encryption if it has been used for signing, or visa- versa. It is possible to stop this from
> # happening by setting org.bouncycastle.rsa.allow_multi_use to true.
>
>
>
>
> --
> http://www.seeburger.com
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Friedemann Heinz, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>