The Cryptographic Module Validation Program

andFIPS 140-2

NIAP

SSLTLS

SMIMEIKEEKE

SPEKE

IPSEC

ITSECURITY

Systems

Smart Cards

PKI

Telecom

Biometrics

Healthcare

Firewalls

OperatingSystems

DBMS

WebBrowsers

CMVP

DES

3DES

AES

Skipjack

SHA-1

SHA-256

SHA-384

SHA-512

DESMAC

HMAC

FIPS 140-2Crypto

Modules

RSA

ECDSA

DSA

DSA2

RSA2ECDSA2 Wrapping

D-HMQV

RSA

FIPS171

Encryption Hashing Authentication Signature Key Mgt.

ProtocolsSecurity Specifications

Future Standard,Specification or

Recommendation

Standardin

Progress

Existing StandardTest Development

in Progress

Standard andTesting

Available

Existing Standardno

Testing

Industry Standard,Specification or

Recommendation

CygnaCom COACTSAIC TUVIT CSC

Domus InfoGard Atlan

AccreditedTesting

Labs

ARCA

EWA

Cryptographic Module Validation Program (CMVP)

Established by NIST and the Communications Security Establishment (CSE) in 1995

Original FIPS 140-1 requirements and updated FIPS 140-2 requirements developed with industry input

Six NVLAP-accredited testing laboratories True independent 3rd party accredited testing laboratories Can not test and provide design assistance

CMVP Accredited Laboratories

InfoGard Laboratories

CEAL: a CygnaCom Solutions Laboratory

COACT Inc.

EWA - Canada LTD, IT Security

Evaluation Facility

Domus IT Security Laboratory

Atlan Laboratories

Sixth CMT laboratory added in 2001

Applicability of FIPS 140-2

U.S. Federal organizations must use validated cryptographic modules

GoC departments are recommended by CSE to use validated cryptographic modules

International recognition

Vendor

Designs and Produces

Cryptographic Module and Algorithm

CMT Lab

Tests for Conformance

Cryptographic Module and Algorithm

CMVP

Validates

Test Results and Signs Certificate

User

Specifies and Purchases

Security and Assurance

Flow of a FIPS 140-2 Validation

Level 1 is the lowest, Level 4 most stringent

Requirements are primarily cumulative by level

Overall rating is lowest rating in all sections

Not Validated

Security Spectrum

Level 1

Level 2

Level 3

Level 4

FIPS 140-2 Security Levels

Derived Test Requirements

Cryptographic module testing is performed using the Derived Test Requirements (DTR)

Assertions in the DTR are directly traceable to requirements in FIPS 140-2

All FIPS 140-2 requirements will be included in the DTR as assertions Provides for one-to-one correspondence between the FIPS

and the DTR

Derived Test Requirements (concluded)

Each assertion will include requirements levied on the Cryptographic module vendor Tester of the cryptographic module

Modules tested against FIPS 140-2 will use the associated DTR

Revalidations

An updated version of a previously validated cryptographicmodule can be considered for a revalidation rather than a full validation depending on the extent of the modifications from the previously validated version of the module.

1. Modifications are made to hardware, software or firmware components that do not affect any FIPS 140-1 security relevant items.

Signed Letter from Accredited Laboratory

2. Modifications are made to hardware, software or firmware components that affect some of the FIPS 140-1 security relevant items.

Re-validation TE’s annotated as RE-Tested with an overall regression test performed

CMVP Status

Continued record growth in the number of cryptographic modules validated Over 200 Validations representing nearly 250

modules

All four security levels of FIPS 140-1 represented on the Validated Modules List

Over forty participating vendors

0

20

40

60

80

100

120

1995 1997 1999 2001

ProjectedLevel 4Level 3Level 2Level 1

FIPS 140-1 and FIPS 140-2 Validations by Year and Level

(January 15, 2002)

Certificate 150

May 23, 2001

Certificate 200 December 18,

2001

2001 Validation Milestones

• FIPS 140-2 Signed 05/25/01

• FIPS 140-2 DTR Available 11/15/01

• FIPS 140-2 Validations Accepted

Validated Modules By Type

Accelerators

Co-Processors

Routers/VPNs

Kernels/Toolkits

PDAs

PostalFaxes

Link/FrameEncryptors

Radios/Phones

PC/Smart/Tokens

FIPS 140-2 - Testing Begins

FIPS 140-2 Testing officially began November 15, 2001

FIPS 140-1 Testing ends May 25, 2002 Testing laboratories may submit FIPS 140-1

validation test reports until May 25, 2002 After May 25, 2002 all validations and

revalidations must be done against FIPS 140-2

FIPS 140-2 - Testing Begins …

Agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002.

NIST has provided common algorithmic testing tool to Accredited Laboratories:

Includes DES, Triple-DES and AES DSA and SHA-1 - to be integrated ECDSA available as separate tool – to be integrated RSA, SHA-{256,384,512}, DH, MQV - future

CMVP Status (concluded)

End of FIPS 140-1 testing and beginning of FIPS 140-2 testing and validations with new implementations of FIPS 197 (AES) expected to cause unparalleled growth

Increasing international recognition of the CMVP and FIPS 140-2

Communications-Electronics Security Group (CESG) - UK

• December 28, 2001

– CESG proposes the use of FIPS 140 as the basis for the evaluation of cryptographic products used in a number of UK government applications and encourages the setting up of accredited laboratories in the UK to perform these evaluations.

… Making a Difference

164 Cryptographic Modules Surveyed (during testing)

80 (48.8%) Security Flaws discovered 158 (96.3%) Documentation Errors

332 Algorithm Validations (during testing)

(DES, Triple-DES, DSA and SHA-1) 88 (26.5%) Security Flaws 216 (65.1%) Documentation Errors

Areas of Greatest Difficulty Physical Security Self Tests Random Number Generation Key Management

AlcatelAlgorithmic Research, Ltd.Ascom Hasler Mailing SystemsAttachmate Corp.Avaya, Inc.Baltimore Technologies (UK) Ltd.Blue Ridge NetworksCerticom Corp.Chrysalis-ITS Inc.Cisco Systems, Inc.Cryptek Security Communications,

LLCCTAM, Inc.Cylink CorporationDallas Semiconductor, Inc.Datakey, Inc.Ensuredmail, Inc.Entrust Technologies LimitedEracom Technologies Group,

Eracom Technologies Australia, Pty. Ltd.

F-Secure CorporationFortress Technologies Francotyp-PostaliaGTE InternetworkingIBMIntel Network Systems, Inc.IRE, Inc.Kasten Chase Applied ResearchL-3 Communication SystemsLitronic, Inc.M/A Com Wireless SystemsMicrosoft Corporation.Motorola, Inc.Mykotronx. IncNational Semiconductor Corp.nCipher Corporation Ltd.NeopostNeopost IndustrieNeopost Ltd.Neopost Online Netscape Communications Corp.

NetScreen Technologies, Inc.Network Associates, Inc.Nortel NetworksNovell, Inc.Oracle CorporationPitney Bowes, Inc.PrivyLink Pte LtdPSI Systems, Inc.Rainbow TechnologiesRedCreek CommunicationsResearch In MotionRSA Data Security, Inc.SchlumbergerSemaSpyrus, Inc.Stamps.comTechnical Communications Corp.Thales e-SecurityTimeStep CorporationTranscrypt InternationalTumbleweed Communications Corp.V-ONE Corporation, Inc.

Participating Vendors (January 15, 2002)

FIPS 140-1 and FIPS 140-2 Derived Test Requirements (DTR) Annexes to FIPS 140-2 Implementation Guidance Points of Contact Laboratory Information Validated Modules List Special Publication 800-23

http://www.nist.gov/cmvp

ADDITIONALBACKGROUND

NVLAP Program

Accredited FIPS 140-1Testing Lab

Cryptographic Module Vendor

Level #

NIST/CSE

Module’s Test Report

List of ValidatedFIPS 140-1Modules

List of NVLAPAccredited Labs

Submits application;Pays accreditation fee

Conducts on-siteassessment;Accredits labs

Tests forconformanceto FIPS 140-1;Writes test report

Submits module for testing;Pays testing fee

Issue validationcertificate

To NIST/CSE for validation

NIST publishes list ofvalidated modules

Issue testing &implementationguidance

NIST publisheslist of NVLAP Accredited Labs

FIPS 140-1: Basic Requirements

Defined module boundary. Finite State Machine specification. Defined security policy. Specification of roles and services. Selection of authentication mechanisms. Self-tests of algorithms, random number

generators, and critical functions during power-on.

Cryptographic Algorithms

Must include at least one FIPS approved cryptographic algorithm. Data Encryption Algorithm (DES) Triple DES (allowed for U.S. Government use) Digital Signature Standard (DSA, RSA), Secure

Hash Algorithm (SHA-1) Must meet requirements in FIPS algorithm

standard.

FIPS 140-1 Security Level 1

Specification of the cryptographic module boundary.

Production-grade equipment. Logical separation of roles and services but no

required authentication. FIPS approved key management. Allows software cryptographic services on a

single user general purpose computer.

FIPS 140-1 Security Level 2

Tamper evident coatings or seals, or pick-resistant locks.

Role-based authentication to determine if an operator is authorized to assume a specific role and perform a corresponding set of services.

Allows software cryptography in evaluated multi-user timeshared systems.

FIPS 140-1 Security Level 3

Tamper detection and response for covers and doors. Identity-based authentication. Stronger requirements for entering and outputting

critical security parameters and cryptographic keys. Trusted path requirements for modules using trusted

operating systems.

FIPS 140-1 Security Level 4

Envelope of protection around the entire cryptographic module.

Environmental failure protection and testing. Formal modeling for software.

Differences Between FIPS 140-1 and FIPS 140-2140-1 & 2 Tables of Contents

FIPS 140-11. Overview2. Glossary of Terms and Acronyms3. Functional Security Requirements4. Security Requirements 4.1 Cryptographic Modules 4.2 Cryptographic Module Interfaces

FIPS 140-21. Overview2. Glossary of Terms and Acronyms*3. Functional Security Requirements4. Security Requirements 4.1 Cryptographic Module Specification* 4.2 Cryptographic Module Interfaces

* Section added or significantly revised

140-1 & 2 Tables of Contents (Continued)

FIPS 140-1 4.3 Roles and Services 4.4 Finite State Machine Model 4.5 Physical Security 4.6 Software Security 4.7 Operating System Security 4.8 Cryptographic Key Management

FIPS 140-2 4.3 Roles, Services, and Authentication 4.4 Finite State Machine Model 4.5 Physical Security* 4.6 Operating System Security* 4.7 Cryptographic Key Management

* Section added or significantly revised

140-1 & 2 Tables of Contents (Continued)

FIPS 140-1 4.9 Cryptographic Algorithms 4.10 EMI/EMC 4.11 Self-Tests

FIPS 140-2 4.8 EMI/EMC 4.9 Self-Tests 4.10 Design Assurance* 4.11 Mitigation of Other Attacks*

* Section added or significantly revised

140-1 & 2 Tables of Contents (Concluded)

FIPS 140-1Appendices A: Summary of Documentation Requirements B: Recommended Software Development Practices C: Selected References

FIPS 140-2Appendices A: Summary of Documentation Requirements B: Recommended Software Development Practices* C: Cryptographic Module Security Policy* D: Selected Bibliography*

* Section added or significantly revised

FIPS 140-2: Final Revisions

4.2 Cryptographic Module Interfaces Security Levels 3 and 4

Physical ports for input/output of plaintext CSPs shall be physically separate from other ports

Logical interfaces for input/output of plaintext CSPs shall be logically separate from all other interfaces

Requires implementation of a trusted path

FIPS 140-2: Final Revisions (continued)

4.6 Operational Environment Operating system definition expanded to operational

environment general purpose operational environment refers to

the use of a commercially-available general purpose operating system (i.e., resource manager)

manages the software and firmware components within the cryptographic boundary

Limited operational environment refers to a static non-modifiable virtual operational environment

with no underlying general purpose OS Requirements in FIPS 140-2 do not apply

Modifiable operational environment refers to an operating environment that may be reconfigured to add/delete/modify

functionality and/or may include general purpose OS capabilities Requirements in FIPS 140-2 apply

FIPS 140-2: Final Revisions (continued)

4.10 Design Assurance Development

Deleted requirements addressed in other sections of FIPS 140-2 Guidance

Deleted security requirements for the IT environment Functional Testing and Test Coverage

Deleted all requirements