Extending NIST’s CAVP Testing of Cryptographic Hash Function Implementations

  • Nicky MouhaEmail author
  • Christopher Celi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12006)


This paper describes a vulnerability in Apple’s CoreCrypto library, which affects 11 out of the 12 implemented hash functions: every implemented hash function except MD2 (Message Digest 2), as well as several higher-level operations such as the Hash-based Message Authentication Code (HMAC) and the Ed25519 signature scheme. The vulnerability is present in each of Apple’s CoreCrypto libraries that are currently validated under FIPS 140-2 (Federal Information Processing Standard). For inputs of about \(2^{32}\) bytes (4 GiB) or more, the implementations do not produce the correct output, but instead enter into an infinite loop. The vulnerability shows a limitation in the Cryptographic Algorithm Validation Program (CAVP) of the National Institute of Standards and Technology (NIST), which currently does not perform tests on hash functions for inputs larger than 65 535 bits. To overcome this limitation of NIST’s CAVP, we introduce a new test type called the Large Data Test (LDT). The LDT detects vulnerabilities similar to that in CoreCrypto in implementations submitted for validation under FIPS 140-2.


CVE-2019-8741 FIPS CAVP ACVP Apple CoreCrypto Hash function Vulnerability 



The authors would like to thank the anonymous reviewers and their NIST colleagues for providing useful comments and suggestions. Special thanks go to Patrick Kamongi, Andrew Regenscheid, Apostol Vassilev, and Jeffrey Marron for their detailed feedback. Certain algorithms and commercial products are identified in this paper to foster understanding. Such identification does not imply recommendation or endorsement by NIST, nor does it imply that the algorithms or products identified are necessarily the best available for the purpose.

Supplementary material


  1. 1.
    Albrecht, M.R., Massimo, J., Paterson, K.G., Somorovsky, J.: Prime and prejudice: primality testing under adversarial conditions. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, 15–19 October 2018, pp. 281–298. ACM (2018).
  2. 2.
    American National Standards Institute: Public Key Cryptography for the Financial Services Industry - Key Agreement and Key Transport Using Elliptic Curve Cryptography. ANSI X9.63 (2017).
  3. 3.
    Apple: Security - Apple Developer, September 2019.
  4. 4.
    Aumasson, J.P., Henzen, L., Meier, W., Phan, R.C.W.: SHA-3 proposal BLAKE. Submission to the NIST SHA-3 Competition (Round 3) (2010).
  5. 5.
    Bassham III, L.E., Hall, T.A.: The Secure Hash Algorithm Validation System (SHAVS), May 2014.
  6. 6.
    Bertoni, G., Daemen, J., Peeters, M., van Assche, G.: The Keccak SHA-3 submission. Submission to the NIST SHA-3 Competition (Round 3) (2011).
  7. 7.
    Brumley, B.B., Barbosa, M., Page, D., Vercauteren, F.: Practical realisation and elimination of an ECC-related software bug attack. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 171–186. Springer, Heidelberg (2012). Scholar
  8. 8.
    Celi, C.: ACVP Secure Hash Algorithm (SHA) JSON Specification. IETF Internet-Draft (2018).
  9. 9.
    Cisco: The libacvp library, September 2019.
  10. 10.
    Google: Project Wycheproof tests crypto libraries against known attacks, September 2019.
  11. 11.
    Industry Working Group on Automated Cryptographic Algorithm Validation: ACVP, September 2019.
  12. 12.
    Mouha, N., Raunak, M.S., Kuhn, D.R., Kacker, R.: Finding bugs in cryptographic hash function implementations. IEEE Trans. Reliab. 67(3), 870–884 (2018). Scholar
  13. 13.
    National Bureau of Standards: Validating the Correctness of Hardware Implementations of the NBS Data Encryption Standard. NBS Special Publication 500–20, November 1977.
  14. 14.
    National Institute of Standards and Technology: Advanced Encryption Standard (AES). NIST Federal Information Processing Standards Publication 197, November 2001.
  15. 15.
    National Institute of Standards and Technology: Description of Known Answer Test (KAT) and Monte Carlo Test (MCT) for SHA-3 Candidate Algorithm Submissions, February 2008.
  16. 16.
    National Institute of Standards and Technology: Secure Hash Standard (SHS). NIST Federal Information Processing Standards Publication 180–4, August 2015.
  17. 17.
    National Institute of Standards and Technology: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. NIST Federal Information Processing Standards Publication 202, August 2015.
  18. 18.
    National Institute of Standards and Technology and Canadian Centre for Cyber Security: Implementation Guidance for FIPS 140–2 and the Cryptographic Module Validation Program, August 2019.
  19. 19.
    SEI CERT C Coding Standard: INT17-C. Define integer constants in an implementation-independent manner, September 2019.
  20. 20.
    The MITRE Corporation: CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’) (2019).
  21. 21.
    Valenta, L., et al.: Measuring small subgroup attacks against Diffie-Hellman. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February - 1 March, 2017. The Internet Society (2017).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.National Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations