FIPS - US Cryptographic Testing Standard B2-04FIPS - US Cryptographic Testing Standard ICCC 2005...
Transcript of FIPS - US Cryptographic Testing Standard B2-04FIPS - US Cryptographic Testing Standard ICCC 2005...
FIPS - US Cryptographic Testing Standard ICCC 2005 Theme B2-04
Nithya RachamaduguCygnaCom SolutionsSeptember 31, 2005
2© Copyright 2005 CygnaCom Solutions
FIPS 140-2
• FIPS- Federal Information Processing Standard
• 140 - Publication Number, 2 - Program revision
• Cryptographic standard
• De facto international standard for cryptographic module security requirements
• Joint program – NIST and CSE
• FIPS 140-2 and CC are independent information security standards
• NIST – National Institute of Standards and Technology (US)
• CSE-Communications Security Establishment (CA)
3© Copyright 2005 CygnaCom Solutions
FIPS 140-2 to ISO/IEC 19790
• Cryptographic modules developed by vendors from around the world
• Australia, Israel, Singapore, U.K., France, Finland, Germany, Canada
– Protection Profiles developed throughout the world reference FIPS 140-1 and FIPS 140-2
• FIPS 140-2 developed to facilitate conversion to an ISO standard
• Cryptographic Module Validation Program(CMVP)
4© Copyright 2005 CygnaCom Solutions
CMVP: Applicability of FIPS 140-2
• U.S. Federal organizations must use validatedcryptographic modules
• With the passage of the Federal Information Security Management Act of 2002, there is no longer a statutory provision to allow for agencies to waive mandatory Federal Information Processing Standards.
• GoC departments are recommended by CSE to use validated cryptographic modules
• The FIPS 140-2 is Internationally recognized
5© Copyright 2005 CygnaCom Solutions
Evaluation
• Evolving standard
- FIPS 140-1 started in 1995
- FIPS 140-2 after May 2002
- FIPS 140-3 expected in May 2007
• FIPS 140-2 contains specific security requirements of the cryptographic module.
• Common Criteria specifies generic requirements for a security product or system
6© Copyright 2005 CygnaCom Solutions
Philosophy
• Strong commercially available cryptographic products are needed
• Government must work with the commercial sector and the cryptographic community for:– security,
– interoperability, and
– assurance
7© Copyright 2005 CygnaCom Solutions
Products with Cryptographic modules
• FIPS 140-2 requirements only applies to the cryptographic functionality of a product– Scope of testing (or the “module”) may be the whole
product or subset of a product
• Applicable to hardware, software, and firmware cryptographic modules– e.g. software applications, cryptographic toolkits, postage
metering devices, radio encryption, data storage modules
• Must use the validated version and configuration
• A larger product can claim that is uses a FIPS 140-1/2 validated cryptographic module
8© Copyright 2005 CygnaCom Solutions
Cryptographic module
Software/Hardware/firmware that employs cryptographic services:
• Encryption
• Signature
• Hashing
• Authentication
• Key management (generation, storage, import, export)
9© Copyright 2005 CygnaCom Solutions
Conformance testing
• Purpose of CMVP
– cryptographic modules Conformance using the Derived Test Requirements (DTR)
– Not evaluation of cryptographic modules. Not required are:
• Vulnerability assessment
• Design analysis, etc.
• Laboratories
– Test submitted cryptographic modules
• NIST/CSE
– Validate tested cryptographic modules
10© Copyright 2005 CygnaCom Solutions
validation flow
Vendor
Cryptographic
Module and
Algorithm
Designs and Produces
CMT
Lab
Tests for Conformance Cryptographic
Module and
Algorithm
Validates
Purchases
User
CMVP
Security and
Assurance
Test Results
and Signs
Certificate
11© Copyright 2005 CygnaCom Solutions
What happens when a report is submitted (cont.)
[CMVP SYN]
12© Copyright 2005 CygnaCom Solutions
Eleven Security Areas
• Cryptographic Module Specification
• Cryptographic Module Ports and Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operational Environment
• Cryptographic Key Management
• EMI/EMC requirements
• Self Tests
• Design Assurance
• Mitigation of Other Attacks
13© Copyright 2005 CygnaCom Solutions
Levels of Security
• Four levels - Level 1 thru Level 4
• Level 1 is the lowest, Level 4 most stringent
• Requirements are primarily cumulative by level
• Levels assigned for each of the 11 security sections
• Overall rating is lowest rating in all sections
• module must be configured and operated in accordance with the level it was validated
14© Copyright 2005 CygnaCom Solutions
Example
• Physical Security at level 4 and all other security areas at level 1 receives Level 1.
• Machines located and operated in public areas
Reference: FIPS PUB 140-2,
S ti 4 S it
15© Copyright 2005 CygnaCom Solutions
16© Copyright 2005 CygnaCom Solutions
CC Security Considerations For crypto Modules
• Level 1: No CC requirement
• Level 2: EAL-2 Evaluated OS
• Level 3: EAL-3 Evaluated OS
• Level 4: EAL-4 Evaluated OS
17© Copyright 2005 CygnaCom Solutions
CC Verses FIPS Overview
• The CC and FIPS 140-2 are different in the abstractness and focus of tests.
• CC is an evaluation against a created protection profile (PP) or security target (ST). Typically, a PP covers a broad range of products.
• FIPS 140-2 testing is against a defined cryptographic module and provides a suite of conformance tests to four security levels. FIPS 140-2 describes the requirements for cryptographic modules and includes such areas as physical security, key management, self tests, roles and services, etc. The standard was initially developed in 1994 - prior to the development of the CC.
18© Copyright 2005 CygnaCom Solutions
CC Verses FIPS Overview (cont.)
• A CC evaluation does not supercede or substitute for a FIPS 140-2 validation. The four security levels in FIPS 140-2 are not intended to map directly to specific CC EALs or to CC functional requirements.
• FIPS 140-2 is the current de facto standard for cryptography. There is no document that correlates CC functionality to FIPS 140-2 functionality. Therefore, a CC certificate cannot be a substitute for a FIPS 140-2 certificate.
19© Copyright 2005 CygnaCom Solutions
Derived Test Requirements (DTR) Organization
• Tester and Vendor Requirements Are Derived From FIPS 140-2
• Implementation Guidance Issued by The CMVP Clarifies Testing and Documentation Requirements
FIPS 140-2
FIPS PUB 140-2
Derived Testing
Requirements Document
DTR
Tester Requirements Vendor RequirementsCompliance Requirements
FIPS 140-2
Implementation Guidance Document
20© Copyright 2005 CygnaCom Solutions
• Cryptographic module testing is performed using the Derived Test Requirements (DTR)
• Assertions in the DTR are directly traceable to requirements in FIPS 140-2
• All FIPS 140-2 requirements are included in the DTR as assertions– Provides for one-to-one correspondence between the
FIPS and the DTR
• Assertion levy requirements on the – Cryptographic module vendor
– Tester of the cryptographic module
21© Copyright 2005 CygnaCom Solutions
AES
TDES
IDEA
Blowfish
RC2
– Encryption/Decryption: IDEA, TDES, AES, Blowfish, RC2, RSA
*Note – Sample Algorithms Only - Not An Exhaustive List
Modules Implement Services, Which Use Algorithms:
SHA-1MD5
– Hashing / MACing: SHA-1, MD5
PRNGRNG
– Key Management: Random Number Generators (RNG, PRNG)
DSA
– Digital Signatures: DSA, RSA
RSA
Cryptographic Module Vs Algorithm
Reference: FIPS PUB 140-2
A A A d S it
22© Copyright 2005 CygnaCom Solutions
What constitutes a module?
• Approved Security Functions– Symmetric Key – AES, Triple-DES, Skipjack
– Asymmetric Key –DSA, RSA, ECDSA
– Message Authentication – DES MAC, Triple-DES Mac, Enhanced Security DES, CCM Mode
– Hashing – Secure Hash Standard (SHS) – SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512
– Keyed Hash – HMAC
– Random Number Generator –
Approved Random Number Generators for FIPS 140-2, Security Requirements for Cryptographic Modules.
23© Copyright 2005 CygnaCom Solutions
Non-Approved Mode
( Encrypt/Decrypt Data )
Approved Mode
( Digital Signatures
Key Wrapping )RSA
IDEA
Blowfish
MD5
RC2RNG
Only Approved Algorithms and Security Functions Permitted
Non-Approved Functions and Algorithms Not Allowed in Approved Mode
– (Not Tested or Validated – Not To Be Used By U.S. Government)
DSA
#65 SHA-1
#130
AES
#2
PRNG
#10
TDES
#80
Approved Mode of Operation
24© Copyright 2005 CygnaCom Solutions
Certificate Maintenance
• Possible changes
�No Security Relevant changes
�Less than 30% change to the same module
�Physical security changes
�More than 30% change or new module
25© Copyright 2005 CygnaCom Solutions
FIPS 140-2 Resources
• FIPS 140-2 Standard– Appendices
– Annexes
• Derived Test Requirements (DTR)
• Implementation Guidance (IG)
• Frequently Asked Questions (FAQ)
• NIST Validation Lists– Pre-Validation List
– Validated Products List
– Algorithm Validation List
• http://csrc.nist.gov/cryptval/
26© Copyright 2005 CygnaCom Solutions
Cost and schedule
• CMVP goal – certificate in six months
- under US $50,000 (Lab fee)
• NIST cost recovery
- Varies by level
- extended fee possible (additional charges)
27© Copyright 2005 CygnaCom Solutions
Validation List - Certificate
[VAL]
28© Copyright 2005 CygnaCom Solutions
Validation List – Certificate (cont)
[VAL]
29© Copyright 2005 CygnaCom Solutions
Reference material
• NIST web : http://csrc.nist.gov/cryptval/
• All FIPS documents : http://csrc.nist.gov/cryptval/
• FIPS evaluated product list: FIPS 140-1 and FIPS 140-2 Cryptographic Modules Validation List
30© Copyright 2005 CygnaCom Solutions
CMVP Web page
31© Copyright 2005 CygnaCom Solutions
32© Copyright 2005 CygnaCom Solutions
Contact Information:
• Nithya Rachamadugu
• Security Evaluation Laboratory Manager
• CygnaCom Solutions
• Suite 5200
• 7295 Jones Branch Drive
• McLean, VA 22102
• Tel: 703-270-3551
• Fax: 703-848-0985
• Email: [email protected]