IBM Crypto Education Community

Hi.

Currently, we derived a shared secret using CSNDEDH.  Input is PKDS(ECC key pair), public ECC token and 'PASSTHRU'.

The ECC public key token is created using CSNDPKB by supplying X and Y coordinates.  This works fine.

My question. Does ICSF do some validation on this ECC public key token. That is, valididate the point actually is part curve.  If so, what kind of message would I receive if invalid.

If no validation is done, can you suggest what can be.

Thanks,

Rob

CSNDPKB is a verb that executes entirely in the host system - it is not done in the crypto card.  I'm not sure what the ICSF code for the CDNSPKB verb does, but I can give you some related information.

• The crypto card itself (using CCA) will validate the ECC public key any time you try to use it.  That is built in to the Elliptic Curve algorithm that is in the card hardware.  Thus, if you create an invalid public key in the host and then try to use it in the card, it should be rejected.
• My team owns the host CCA code (including CSNDPKB) for Linux on z System, x86 platforms, and AIX.  None of those do any validation of the public key in the CSNDPKB verb.

I'll try to get someone from the ICSF development team to answer the question in regard to ICSF CSNDPKB host code.

Thanks for update and help.... Feeding in an invalid X and Y, I get following message and it appears to come from hardware.  Just wasn't sure what this really meant.     Answer accepted.

301 (769) A cryptographic internal device driver component detected data contained in a cryptographic request

that is not valid.

Thanks @ToddArnold 9f072953-7abd-472b-bdc6-cf873defb355​!

@RobHeckman(RBC) 540299d8-919b-4860-a71c-4cd75486b4b7​, I also confirmed with the ICSF team that validation of the EC Point is performed in the card at time of use and not in the CSNDPKB service.