The Cryptographic Module Validation Program and FIPS 140-2
Randall J. Easter Senior Engineer, Cryptographic Module Validation Program National Institute of Standards and Technology December 4, 2002 1 Agenda
! The Cryptographic Module Validation Program
! The Importance of Testing – Making a Difference!
! FIPS 140-2 and Testing
! CMVP Status and General Information
! Additional Slides for Background and Information
! Web Site Examples
! Revalidation of Cryptographic Modules
! JAVA and FIPS 140-2
2 IT C&A SECURITY
Security Specifications Protocols 800-37 Firewalls Smart Cards SSL TLS Operating PKI Systems IPSEC 800-53 Telecom NIAP SMIME DBMS Biometrics IKE 800-53a Web EKE Browsers Healthcare SPEKE
Accredited Testing Labs FIPS 140-2 Encryption Hashing Authentication Signature Key Mgt. Crypto DSA FIPS Modules DES SHA-1 DES MAC 171 ECDSA D-H 3DES SHA-256 AES RSA MQV CMVP MAC Skipjack SHA-384 DSA2 RSA HMAC RSA2 AES SHA-512 ECDSA2 Wrapping Industry Standard, Future Standard, Standard Existing Standard Existing Standard Standard and Specification or Specification or in no Test Development Testing Recommendation Recommendation Progress Testing in Progress Available Cryptographic Module Validation Program (CMVP)
! Established by NIST and the Communications Security Establishment (CSE) in 1995 ! Original FIPS 140-1 requirements and updated FIPS 140-2 requirements developed with industry input ! Seven NVLAP-accredited testing laboratories rd ! True independent 3 party accredited testing laboratories
! Can not test and provide design assistance CMVP: Philosophy
! Strong commercially available cryptographic products are needed
! Government must work with the commercial sector and the cryptographic community for:
! security,
! interoperability, and
! assurance
5 CMVP: Applicability of FIPS 140-2
! U.S. Federal organizations must use validated cryptographic modules
! GoC departments are recommended by CSE to use validated cryptographic modules
! International recognition Communications-Electronics Security Group (CESG) - UK
• December 28, 2001
– CESG proposes the use of FIPS 140 as the basis for the evaluation of cryptographic products used in a number of UK government applications and encourages the setting up of accredited laboratories in the UK to perform these evaluations.
7 CMVP: Accredited Laboratories
EWA - Canada Domus IT Security Logica Security LTD, IT Security Laboratory Consulting Evaluation Facility
InfoGard Laboratories
Atlan Laboratories COACT Inc.
CEAL: a CygnaCom Solutions Laboratory
Seventh CMT laboratory added in 2002 The Importance of Testing: Buyer Beware!
! Does the product do what is claimed?
! Does it conform to standards?
! Was it independently tested?
! Is the product secure?
9 … Making a Difference
! 164 Cryptographic Modules Surveyed (during testing)
! 80 (48.8%) Security Flaws discovered
! 158 (96.3%) Documentation Errors
! 332 Algorithm Validations (during testing) (DES, Triple-DES, DSA and SHA-1)
! 88 (26.5%) Security Flaws
! 216 (65.1%) Documentation Errors
! Web Access
! November 2001 – 125,000 hits
! Monthly average – 80,000 hits
FIPS 140-2: Security Levels
Security Spectrum
Not Validated Level 1 Level 2 Level 3 Level 4
! Level 1 is the lowest, Level 4 most stringent
! Requirements are primarily cumulative by level
! Overall rating is lowest rating in all sections FIPS 140-2: Security Areas
• Cryptographic Module Specification • Cryptographic Module Ports and Interfaces • Roles, Services, and Authentication • Finite State Model • Physical Security • Operational Environment • Cryptographic Key Management • EMI/EMC requirements • Self Tests • Design Assurance • Mitigation of Other Attacks
13 FIPS 140-2: Differences with FIPS 140-1 ! Standard has not changed in focus or emphasis ! Language and terminology standardized ! Redundant and extraneous information removed ! Vague requirements removed or revised ! Standard was minimally restructured ! Authentication and Self-Test requirements strengthened ! Operating system requirements specified
using the Common Criteria 14 FIPS 140-2 New Topics
! Configuration Management ! Delivery and Operation ! Development
! Functional specifications
! Formal model and informal proof ! Guidance documents ! Mitigation of Other Attacks
15 CMVP Testing: Validation Flow
Vendor CMT Lab CMVP User
Designs and Tests for Validates Specifies and Produces Conformance Purchases
Cryptographic Cryptographic Test Results Security and Module and Module and and Signs Assurance Algorithm Algorithm Certificate CMVP Testing: Process
! Purpose of CMVP
! Conformance testing of cryptographic modules using the Derived Test Requirements (DTR)
! Not evaluation of cryptographic modules. Not required are:
! Vulnerability assessment
! Design analysis, etc. ! Laboratories
! Test submitted cryptographic modules ! NIST/CSE
! Validate tested cryptographic modules
17 CMVP Testing: Goals
! Among the laboratories…ensure
! Comparability of test results
! Repeatability of tests and test results
! Vendors
! Required services are correctly performed by the laboratory
! Among users
! Comprehensive testing of the module/product
! Cryptographic and other security features correctly implemented
18 FIPS140-2 Testing: Primary Activities
• Documentation Review (e.g., Security Policy, Finite State Model, Key Management Document) • Source code Analysis • Annotated Source Code • Link with Finite State Model • Testing • Physical Testing • FCC EMI/EMC conformance • Operational Testing • Algorithms and RNG Testing
19 FIPS 140-2 Testing: Derived Test Requirements
! Cryptographic module testing is performed using the Derived Test Requirements (DTR) ! Assertions in the DTR are directly traceable to requirements in FIPS 140-2 ! All FIPS 140-2 requirements are included in the DTR as assertions
! Provides for one-to-one correspondence between the FIPS and the DTR ! Each assertion includes requirements levied on the
! Cryptographic module vendor
! Tester of the cryptographic module FIPS 140-2 Testing: Traceability
FIPS PUB 140-2 Requirements
DTR Test Assertions Derived Test Requirements
Tester Vendor Requirements Requirements CMVP Status
! Continued record growth in the number of cryptographic modules validated
! Over 275 Validations representing nearly 300 modules
! All four security levels of FIPS 140-1 represented on the Validated Modules List
! Over 75 participating vendors FIPS 140-1 and FIPS 140-2 Validations by Year and Level (November 25, 2002 – Certificates Issued) 100 90 80 70 60 50 40 Projected 30 Level 4 20 Level 3 10 Level 2 0 Level 1 1995 1997 1999 2001 FIPS 140-1 and FIPS 140-2 Validations by Year and Level (November 25, 2002 – Modules Validated) 250
200
150
100 Projected Level 4 50 Level 3 Level 2 0 Level 1 1995 1997 1999 2001 Validated Modules By Type
Link/Fram e Encryptors Radios/Phones Faxes Postal PC/Sm art/Tokens PDAs
C o-Processors Kernels/Toolkits
A ccelerators Routers/VPNs
Participating Vendors (November 25, 2002)
3S Group Incorporated Entrust CygnaCom NetScreen Technologies, Inc. ActivCard F-Secure Corporation Network Associates, Inc. Admiral Secure Products, Ltd. Fortress Technologies, Inc. Nortel Networks AEP Systems Francotyp-Postalia Novell, Inc. Alcatel Gemplus Corp. and ActiveCard Inc. Oberthur Card Systems Algorithmic Research, Ltd. GTE Internetworking Oracle Corporation Altarus Corporation Hasler, Inc. Pitney Bowes, Inc. Pointsec Mobile Technologies Attachmate Corp. IBM PrivyLink Pte Ltd Avaya, Inc. Intel Network Systems, Inc. PSI Systems, Inc. Blue Ridge Networks IRE, Inc. Rainbow Technologies Check Point Software Technologies ITT RedCreek Communications Ltd. Kasten Chase Applied Research Research In Motion Chrysalis-ITS Inc. L-3 Communication Systems RSA Security, Inc. Cisco Systems, Inc. Litronic, Inc. SchlumbergerSema Communications Devices, Inc. Lucent, Inc. Securit-e-Doc, Inc. Control Break International Corp. M/A Com Wireless Systems Spyrus, Inc. Corsec Security, Inc. Microsoft Corporation Stamps.com Sun Microsystems, Inc. Cryptek Inc. Motorola, Inc. CTAM, Inc. Technical Communications Corp. Mykotronx. Inc Thales e-Security Cylink Corporation National Semiconductor Corp. TimeStep Corporation Dallas Semiconductor, Inc. nCipher Corporation Ltd. Transcrypt International Datakey, Inc. Neopost Tumbleweed Communications Corp. Ensuredmail, Inc. Neopost Industrie V-ONE Corporation, Inc. Entrust Inc. Neopost Ltd. Eracom Technologies Group, Eracom Neopost Online Technologies Australia, Pty. Ltd. Netscape Communications Corp. Final Conclusion: Buyer Beware!
! Does the product do what is claimed?
! Does it conform to standards?
! Was it independently tested?
! Is the product secure?
28 http://www.nist.gov/cmvp
! FIPS 140-1 and FIPS 140-2
! Derived Test Requirements (DTR)
! Annexes to FIPS 140-2
! Implementation Guidance
! Points of Contact
! Laboratory Information
! Validated Modules List
! Special Publication 800-23 ! Annabelle Lee - [email protected]
! Randy Easter - [email protected]
! Sharon Keller - [email protected]
! Ron Tencati – [email protected] Additional Background and Information
31 Web Site Examples
32
Revalidation Information
36 Revalidation: Specifics not ! FIPS 140-2: An updated version of a previously validated cryptographic module
! Modifications to hardware, software, firmware do affect security
! The testing laboratory reviews the changes and sends a letter to NIST/CSE
! The Cryptographic Module Validation List is updated
! Modifications to hardware, software, firmware affect less than 30% security relevant assertions
! The testing laboratory tests:
! The changed assertions (requirements)
! All assertions listed in the regression test suite
! New and updated assertions
37 Revalidation under FIPS 140-2 (less than 30% change)
Lab tests all the identified and remaining TEs
DTR FIPS 140-2 Revalidation (concluded)
! Modifications to hardware, software, firmware affect greater than 30% security relevant assertions
! The testing laboratory performs a full validation testing
! Full validation required …
! Overall security level changes
! Physical embodiment changes
39 Revalidation: FIPS 140-1 to FIPS 140-2
! Significant increase in number of test items under FIPS 140-2 (+36%)
! Some FIPS 140-1 assertions split into multiple FIPS 140-2 assertions ! CMVP intends to reuse the testing results from FIPS 140-1 ! Draft mapping between FIPS 140-1 and 140-2
40 Revalidation: FIPS 140-1 to FIPS 140-2
DTR FIPS 140-1 DTR FIPS 140-2 Revalidation: Approach
" Lab identifies and tests TEs affected by change " Lab identifies and tests TEs affected by new IGs and policies " Operational tests per regression test suite DTR FIPS 140-2
42 JAVA and FIPS 140-2
43 Adding Applets to a FIPS Applet: Digitally 140-2 Validated Crypto signed by Module: non-security applet writer/ card issuer relevant changes
Cryptographic Module Testing (CMT) Lab
Does applet contain crypto?
No
Applet digitally FIPS signed by 140-2 applet writer or validation card issuer Applet: digitally Adding Applets to a FIPS 140-2 signed by applet writer or card Validated Crypto Module: revalidation Appletissuer
FIPS 140-2 CMT Lab validation? Yes Yes Lab tests applet Does and crypto applet contain module* If applet is not crypto? separate crypto module Issue FIPS 140-2 certificate
*Crypto module must be tested against regression test suite and new/modified assertions Adding/Modifying Applets to Applet: digitally signed by a FIPS 140-2 Validated appletApplet writer or Crypto Module: revalidation Issue FIPS card issuer 140-2 certificate
CMT Lab Yes Lab tests Does applet against Yes FIPS 140-2 Applet is applet contain FIPS 140-2 crypto? validation? separate crypto module
Applet digitally Validated signed by Crypto applet writer or module card issuer