DOCSLIB.ORG

Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program

Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program

Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology Canadian Centre for Cyber Security Initial Release: March 28, 2003 Last Update: May 4, 2021 Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology Table of Contents OVERVIEW ....................................................................................................................................................... 6 GENERAL ISSUES............................................................................................................................................ 7 G.1 REQUEST FOR GUIDANCE FROM THE CMVP AND CAVP ............................................................................ 7 G.2 COMPLETION OF A TEST REPORT: INFORMATION THAT MUST BE PROVIDED TO NIST AND CCCS ............... 9 G.3 PARTIAL VALIDATIONS AND NOT APPLICABLE AREAS OF FIPS 140-2 ..................................................... 11 G.4 DESIGN AND TESTING OF CRYPTOGRAPHIC MODULES ............................................................................... 12 G.5 MAINTAINING VALIDATION COMPLIANCE OF SOFTWARE OR FIRMWARE CRYPTOGRAPHIC MODULES ........ 13 G.6 MODULES WITH BOTH A FIPS MODE AND A NON-FIPS MODE ................................................................... 15 G.7 RELATIONSHIPS AMONG VENDORS, LABORATORIES, AND NIST/CCCS .................................................. 16 G.8 REVALIDATION REQUIREMENTS ............................................................................................................... 16 G.9 FSM, SECURITY POLICY, USER GUIDANCE AND CRYPTO OFFICER GUIDANCE DOCUMENTATION ........... 32 G.10 PHYSICAL SECURITY TESTING FOR RE-VALIDATION FROM FIPS 140-1 TO FIPS 140-2 .......................... 33 G.11 TESTING USING EMULATORS AND SIMULATORS ..................................................................................... 34 G.12 POST-VALIDATION INQUIRIES ................................................................................................................ 35 G.13 INSTRUCTIONS FOR VALIDATION INFORMATION FORMATTING ............................................................... 36 G.14 MOVED TO W.14 ..................................................................................................................................... 50 G.15 MOVED TO W.2 ....................................................................................................................................... 50 G.16 REQUESTING AN INVOICE BEFORE SUBMITTING A REPORT .................................................................... 50 G.17 REMOTE TESTING FOR SOFTWARE MODULES ......................................................................................... 51 G.18 LIMITING THE USE OF FIPS 186-2 .......................................................................................................... 53 G.19 OPERATIONAL EQUIVALENCY TESTING FOR HW MODULES ................................................................... 55 G.20 TRACKING THE COMPONENT VALIDATION LIST ..................................................................................... 61 SECTION 1 - CRYPTOGRAPHIC MODULE SPECIFICATION ............................................................. 63 1.1 CRYPTOGRAPHIC MODULE NAME ............................................................................................................. 63 1.2 FIPS APPROVED MODE OF OPERATION ..................................................................................................... 64 1.3 FIRMWARE DESIGNATION .......................................................................................................................... 65 1.4 BINDING OF CRYPTOGRAPHIC ALGORITHM VALIDATION CERTIFICATES ................................................... 66 1.5 MOVED TO A.1 ........................................................................................................................................... 68 1.6 MOVED TO A.2 ........................................................................................................................................... 68 1.7 MULTIPLE APPROVED MODES OF OPERATION ........................................................................................... 68 1.8 MOVED TO W.13 ....................................................................................................................................... 70 1.9 DEFINITION AND REQUIREMENTS OF A HYBRID CRYPTOGRAPHIC MODULE .............................................. 70 1.10 MOVED TO A.3 ......................................................................................................................................... 71 1.11 MOVED TO D.1 ......................................................................................................................................... 72 1.12 MOVED TO C.1 ......................................................................................................................................... 72 1.13 MOVED TO A.4 ......................................................................................................................................... 72 1.14 MOVED TO A.5 ......................................................................................................................................... 72 1.15 MOVED TO A.6 ......................................................................................................................................... 72 1.16 SOFTWARE MODULE ............................................................................................................................... 72 1.17 FIRMWARE MODULE ............................................................................................................................... 74 1.18 PIV REFERENCE ...................................................................................................................................... 77 1.19 NON-APPROVED MODE OF OPERATION.................................................................................................... 78 1.20 SUB-CHIP CRYPTOGRAPHIC SUBSYSTEMS ............................................................................................... 80 1.21 PROCESSOR ALGORITHM ACCELERATORS (PAA) AND PROCESSOR ALGORITHM IMPLEMENTATION (PAI) ........................................................................................................................................................................ 84 1.22 MODULE COUNT DEFINITION .................................................................................................................. 86 1.23 DEFINITION AND USE OF A NON-APPROVED SECURITY FUNCTION .......................................................... 89 SECTION 2 – CRYPTOGRAPHIC MODULE PORTS AND INTERFACES .......................................... 94 2.1 TRUSTED PATH .......................................................................................................................................... 94 SECTION 3 – ROLES, SERVICES, AND AUTHENTICATION ............................................................... 97 CMVP 2 05/04/2021 Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program National Institute of Standards and Technology 3.1 AUTHORIZED ROLES .................................................................................................................................. 97 3.2 BYPASS CAPABILITY IN ROUTERS ............................................................................................................. 98 3.3 AUTHENTICATION MECHANISMS FOR SOFTWARE MODULES ................................................................... 100 3.4 MULTI-OPERATOR AUTHENTICATION ..................................................................................................... 101 3.5 DOCUMENTATION REQUIREMENTS FOR CRYPTOGRAPHIC MODULE SERVICES ........................................ 102 SECTION 4 - FINITE STATE MODEL ...................................................................................................... 105 SECTION 5 - PHYSICAL SECURITY ........................................................................................................ 106 5.1 OPACITY AND PROBING OF CRYPTOGRAPHIC MODULES WITH FANS, VENTILATION HOLES OR SLITS AT LEVEL 2......................................................................................................................................................... 106 5.2 TESTING TAMPER EVIDENT SEALS .......................................................................................................... 107 5.3 PHYSICAL SECURITY ASSUMPTIONS ........................................................................................................ 107 5.4 LEVEL 3: HARD COATING TEST METHODS .............................................................................................. 112 5.5 PHYSICAL SECURITY LEVEL 3 AUGMENTED WITH EFP/EFT ................................................................... 114 SECTION 6 – OPERATIONAL ENVIRONMENT .................................................................................... 115 6.1 SINGLE OPERATOR MODE AND CONCURRENT OPERATORS ..................................................................... 115 6.2 APPLICABILITY OF OPERATIONAL ENVIRONMENT REQUIREMENTS TO JAVA SMART CARDS ................. 116 6.3 CORRECTION TO COMMON CRITERIA REQUIREMENTS ON OPERATING SYSTEM .....................................

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    285 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us