Blog - Lightship Security

FIPS 140-2/3 News

James Ramage October 2, 2020 ACVP, FIPS 140-2, FIPS 140-3

Updates – October, 2020

FIPS 140-3 is Here!

In this latest installment of our FIPS blog, we will cover key transition dates, available training and the list of documentation inputs needed for a FIPS 140-3 validation.

FIPS 140-2 Validation Queue: The Waiting Game

Jason Lawlor September 1, 2020 FIPS 140-2, FIPS 140-3

A common concern our clients have before undertaking a new FIPS 140-2 validation is understanding the various phases and the overall time it takes to get from start to finish.

One of the ways we manage our clients’ expectations is by letting them know the lab testing portion of the FIPS validation usually accounts for only a fraction of the overall schedule. The much longer portion of the process (3x to 5x) is simply waiting for the validation report to be reviewed by the Cryptographic Module Validation Program (CMVP).

Explicitly Parameterized ECDSA X.509 Certificates

Greg McLearn July 20, 2020 Common Criteria

Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this.

NIAP (the US Common Criteria Scheme) recently published a series of technical decisions (TDs) about the use of ECDSA X.509 certificates crossing numerous Protection Profiles. The concern with this new mandatory test is that cryptographic libraries, such as OpenSSL, do not (or may not) reject the requested certificates out of the box, which is now required. This means vendors will have to implement another customized check for X.509 certificates in order to be conformant to a number of Protection Profiles.

Multi-CA Capable OCSP Responder in OpenSSL

Greg McLearn June 7, 2020 Common Criteria, Tools

At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of the ocsp sub-tool provided in the apps directory of OpenSSL. In this blog post, we will describe the changes we made to the OCSP responder subtool and point to our implementation on github for your use and consideration.

Improving Product Security Through Protection Profiles

Greg McLearn May 19, 2020 Certifications, Common Criteria

It’s surprising to think that new-style Common Criteria Protection Profiles have been around in some way shape, or form, since late 2010, when the first Network Devices Protection Profile (NDPP) v1.0 was released by the Information Assurance Directorate (IAD) for use in the National Information Assurance Partnership (NIAP). The NDPP v1.0 was unique and represented a dramatic shift in policy and function for Common Criteria evaluations.

In this post, we will examine the positive effects that new-style protection profiles have had in product security over the last (almost) 10 years.

Comparing CAVP and ACVP – Test Harness Implications

Alex Thurston February 10, 2020 ACVP, Certifications, FIPS 140-2

As the legacy CAVP algorithm testing program is put to pasture and the newer automated testing program – ACVP takes its place, there are several questions, concerns and design considerations to think about. Foremost among them is how testing will work going forward and what it means for vendors and their existing implemented algorithm test harnesses.

One of the questions that often comes up here at Lightship is how does an existing test harness need to change to support the JSON formatted ACVP test vector sets and also to produce the needed response files. Because many vendors have an existing test harness based on the legacy program, they now have to redesign their harness for this new program which becomes mandatory on July 1, 2020.

What’s New in NDcPP v2.2?

Lachlan Turner February 5, 2020 Certifications, Common Criteria

The Network Device international Technical Community recently (in December 2019) published version 2.2 of the collaborative Protection Profile for Network Devices – aka – NDcPP. The NDcPP is the most often used Common Criteria Protection Profile to achieve listing on the NIAP Product Compliant List (PCL ).

NIAP are yet to formally endorse NDcPP v2.2 (UPDATE March 27, 2020: NIAP has now endorsed v2.2E which is basically the same as v2.2 but some front-matter changed) however it shouldn’t be too far off now – perhaps another month or so. With that in mind, it is useful to consider what has changed between v2.1 and v2.2 of the NDcPP. So, here are the main changes:

NIAP Requests for a Mitigation Plan

Lachlan Turner December 11, 2019 Certifications, Common Criteria

Vendors with products on NIAP’s Common Criteria Product Compliant List (PCL) may from time-to-time receive a request from NIAP for a mitigation plan addressing a given widespread vulnerability (e.g. Meltdown, Spectre etc.). This is in keeping with NIAP Policy 17 which is intended to “ensure products receiving a NIAP Common Criteria certificate do not contain known vulnerabilities”.

Happy Birthday – So What?

Jason Lawlor December 9, 2019 Lightship News, Uncategorized

Lightship Security is 4 years old this month. Since our founding, we have remained steadfast in our commitment to building a strong, profitable and growing platform to support our international client base. Why does this matter? Given the recent churn in the product certification industry, including evolving standards and the shuttering of multiple long-standing labs, Vendors are more than ever looking for a stable, committed and technically capable certification partner going into the next decade.

Lightship can be that partner:

Automated Algorithm Testing Tutorial

Jason Lawlor November 14, 2019 ACVP, FIPS 140-2

Lightship is ready to support our clients with their Automated Cryptographic Validation Program (ACVP) testing requirements. If you are curious about the program, here’s a short primer on how the process is going to work: