Vendors are increasingly looking to leverage OpenSSL 3.x as their cryptographic module of choice within their products. At the same time, entropy continues to a be a focus in both FIPS 140-3 and Common Criteria projects. For those transitioning from …
Lightship has released, as open source, an ACVP vector test harness for OpenSSL 3.x. The code can be found in our GitHub repository at https://github.com/lightshipsec/ls-acvp-harness. The README.md contains the current capabilities which we expect to update and maintain. At the …
No computing system is free from security vulnerabilities. Such flaws can manifest themselves within software, firmware and hardware implementations. Often the ease in widespread mitigation is based in part on whether a vendor can provide updates to software (relatively easy), …
For the past few years, the Common Criteria program has been mandating entropy analysis for almost all protection profile based evaluations. Since November 2020, NIST 800-90B has also become a mandatory requirement under the FIPS 140-2 and the forthcoming FIPS …
Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this. NIAP (the US Common Criteria Scheme) recently published a series of …
At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of …
It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for …
OpenSSL is used in some part by an overwhelmingly large percentage of the enterprise vendor community. Those vendors which need to go through FIPS 140-2 or Common Criteria may find themselves needing to perform algorithm testing and may be presented …
When first exposed to the Network Device collaborative Protection Profile (NDcPP), vendors are often surprised by the extremely narrow scope. It is critical to realize that the Protection Profile (PP) refers to an abstract “network device” with required functionality that …
Conan Hoye and Greg McLearn contributed to this article. At Lightship, we test a lot of NDcPP-compliant products. As part of those evaluations, we are required, as per Appendix A in the Supporting Document, to perform network fuzzing against the …
