• Abstract and Figures
• Public Full-text

Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology Canadian Centre for Cyber Security Initial Release: March 28, 2003 Last Update: May 4, 2021 Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology Table of Contents OVERVIEW ....................................................................................................................................................... 6 GENERAL ISSUES............................................................................................................................................ 7 G.1 REQUEST FOR GUIDANCE FROM THE CMVP AND CAVP ............................................................................ 7 G.2 COMPLETION OF A TEST REPORT: INFORMATION THAT MUST BE PROVIDED TO NIST AND CCCS ............... 9 G.3 PARTIAL VALIDATIONS AND NOT APPLICABLE AREAS OF FIPS 140-2 ..................................................... 11 G.4 DESIGN AND TESTING OF CRYPTOGRAPHIC MODULES ............................................................................... 12 G.5 MAINTAINING VALIDATION COMPLIANCE OF SOFTWARE OR FIRMWARE CRYPTOGRAPHIC MODULES ........ 13 G.6 MODULES WITH BOTH A FIPS MODE AND A NON-FIPS MODE ................................................................... 15 G.7 RELATIONSHIPS AMONG VENDORS, LABORATORIES, AND NIST/CCCS .................................................. 16 G.8 REVALIDATION REQUIREMENTS ............................................................................................................... 16 G.9 FSM, SECURITY POLICY, USER GUIDANCE AND CRYPTO OFFICER GUIDANCE DOCUMENTATION ........... 32 G.10 PHYSICAL SECURITY TESTING FOR RE-VALIDATION FROM FIPS 140-1 TO FIPS 140-2 .......................... 33 G.11 TESTING USING EMULATORS AND SIMULATORS ..................................................................................... 34 G.12 POST-VALIDATION INQUIRIES ................................................................................................................ 35 G.13 INSTRUCTIONS FOR VALIDATION INFORMATION FORMATTING ............................................................... 36 G.14 MOVED TO W.14 ..................................................................................................................................... 50 G.15 MOVED TO W.2 ....................................................................................................................................... 50 G.16 REQUESTING AN INVOICE BEFORE SUBMITTING A REPORT .................................................................... 50 G.17 REMOTE TESTING FOR SOFTWARE MODULES ......................................................................................... 51 G.18 LIMITING THE USE OF FIPS 186-2 .......................................................................................................... 53 G.19 OPERATIONAL EQUIVALENCY TESTING FOR HW MODULES ................................................................... 55 G.20 TRACKING THE COMPONENT VALIDATION LIST ..................................................................................... 61 SECTION 1 - CRYPTOGRAPHIC MODULE SPECIFICATION ............................................................. 63 1.1 CRYPTOGRAPHIC MODULE NAME ............................................................................................................. 63 1.2 FIPS APPROVED MODE OF OPERATION ..................................................................................................... 64 1.3 FIRMWARE DESIGNATION .......................................................................................................................... 65 1.4 BINDING OF CRYPTOGRAPHIC ALGORITHM VALIDATION CERTIFICATES ................................................... 66 1.5 MOVED TO A.1 ........................................................................................................................................... 68 1.6 MOVED TO A.2 ........................................................................................................................................... 68 1.7 MULTIPLE APPROVED MODES OF OPERATION ........................................................................................... 68 1.8 MOVED TO W.13 ....................................................................................................................................... 70 1.9 DEFINITION AND REQUIREMENTS OF A HYBRID CRYPTOGRAPHIC MODULE .............................................. 70 1.10 MOVED TO A.3 ......................................................................................................................................... 71 1.11 MOVED TO D.1 ......................................................................................................................................... 72 1.12 MOVED TO C.1 ......................................................................................................................................... 72 1.13 MOVED TO A.4 ......................................................................................................................................... 72 1.14 MOVED TO A.5 ......................................................................................................................................... 72 1.15 MOVED TO A.6 ......................................................................................................................................... 72 1.16 SOFTWARE MODULE ............................................................................................................................... 72 1.17 FIRMWARE MODULE ............................................................................................................................... 74 1.18 PIV REFERENCE ...................................................................................................................................... 77 1.19 NON-APPROVED MODE OF OPERATION.................................................................................................... 78 1.20 SUB-CHIP CRYPTOGRAPHIC SUBSYSTEMS ............................................................................................... 80 1.21 PROCESSOR ALGORITHM ACCELERATORS (PAA) AND PROCESSOR ALGORITHM IMPLEMENTATION (PAI) ........................................................................................................................................................................ 84 1.22 MODULE COUNT DEFINITION .................................................................................................................. 86 1.23 DEFINITION AND USE OF A NON-APPROVED SECURITY FUNCTION .......................................................... 89 SECTION 2 – CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .......................................... 94 2.1 TRUSTED PATH .......................................................................................................................................... 94 SECTION 3 – ROLES, SERVICES, AND AUTHENTICATION ............................................................... 97 CMVP 2 05/04/2021 Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology 3.1 AUTHORIZED ROLES .................................................................................................................................. 97 3.2 BYPASS CAPABILITY IN ROUTERS ............................................................................................................. 98 3.3 AUTHENTICATION MECHANISMS FOR SOFTWARE MODULES ................................................................... 100 3.4 MULTI-OPERATOR AUTHENTICATION ..................................................................................................... 101 3.5 DOCUMENTATION REQUIREMENTS FOR CRYPTOGRAPHIC MODULE SERVICES ........................................ 102 SECTION 4 - FINITE STATE MODEL ...................................................................................................... 105 SECTION 5 - PHYSICAL SECURITY ........................................................................................................ 106 5.1 OPACITY AND PROBING OF CRYPTOGRAPHIC MODULES WITH FANS, VENTILATION HOLES OR SLITS AT LEVEL 2......................................................................................................................................................... 106 5.2 TESTING TAMPER EVIDENT SEALS .......................................................................................................... 107 5.3 PHYSICAL SECURITY ASSUMPTIONS ........................................................................................................ 107 5.4 LEVEL 3: HARD COATING TEST METHODS .............................................................................................. 112 5.5 PHYSICAL SECURITY LEVEL 3 AUGMENTED WITH EFP/EFT ................................................................... 114 SECTION 6 – OPERATIONAL ENVIRONMENT .................................................................................... 115 6.1 SINGLE OPERATOR MODE AND CONCURRENT OPERATORS ..................................................................... 115 6.2 APPLICABILITY OF OPERATIONAL ENVIRONMENT REQUIREMENTS TO JAVA SMART CARDS ................. 116 6.3 CORRECTION TO COMMON CRITERIA REQUIREMENTS ON OPERATING SYSTEM .....................................

Load more

  285

Copy Link