ESV and Me!

James RamageEntropy, FIPS 140-3

As of November 7, 2020, the Cryptographic Module Validation Program (CMVP) required that all FIPS 140-2 and FIPS 140-3 module validation submissions include documentation justifying conformance of the entropy source to NIST SP 800-90B, if the module is “either generating the entropy itself or it is making a call to request the entropy from a well-defined source”. Compliance documentation would include an Entropy Assessment Report (EAR) and statistical testing of entropy data samples using the NIST 90B Test Tool.

Read More
ESV-ENT-FIPS140-3

Entropy Validation in FIPS 140-3 (ENT vs ESV)

Ryan ThomasEntropy, FIPS 140-3

To get an entropy source approved under FIPS 140-3 there are two options:

  1. ENT (P) or ENT (NP) entry on the FIPS module validation certificate (until October 1st, 2022)
  2. ESV certificate awarded by NIST’s Entropy Source Validation Testing (ESVT)

This blog post will address these entropy validation requirements in FIPS 140-3. We’ll provide details on the differences between the “ENT” validation certificate entry and Entropy Source Validation or “ESV” certificates. Relevant NIST Special Publications (SPs), important Implementation Guidance (IG) and links to templates and other important references will also be provided.

Read More

Five Steps to Algorithm (CAVP) Validations at Lightship

Gillian Bedrosian and Dennis MomyACVP, FIPS 140-2, FIPS 140-3

Algorithm validation testing is a critical path issue for FIPS 140-3 validations and for NIAP Protection Profile-based Common Criteria evaluations.  Equipment vendors are often surprised at the level of effort and the potential challenges in successfully completing the algorithm testing process.

At Lightship, we have developed a suite of tools to allow us to standardize, simplify and streamline the process to obtain CAVP (Cryptographic Algorithm Validation Program) validation.

This post will outline each of the steps in addition to identifying where we will require input from the vendor.

Read More

Vulnerabilities and FIPS 140-3

James RamageFIPS 140-3

Our previous article discussed how vulnerabilities are dealt with under the Common Criteria certification program in North America. All commercial product assurance programs deal with flaws and vulnerabilities in different ways, often with overlapping requirements, techniques and outcomes.

In this article, James Ramage of the Lightship Security FIPS team talks about how vulnerabilities are handled for FIPS 140-3 validations.

Read More

Vulnerabilities and Common Criteria

Greg McLearnCommon Criteria

No computing system is free from security vulnerabilities. Such flaws can manifest themselves within software, firmware and hardware implementations. Often the ease in widespread mitigation is based in part on whether a vendor can provide updates to software (relatively easy), firmware (a bit harder), or whether a new version of hardware needs to be deployed (very difficult). The constraints and goals of point-in-time security certification programs such as Common Criteria (CC) and FIPS 140-3 can often conflict with the need to correct such security deficiencies. With the recent disclosure of CVE-2021-44228 (a remote code exploit [RCE] in the widely deployed log4j component in Java-based products), questions often come up as to how such vulnerabilities are handled within certain certification programs.

Read More
whats-new-app-protection-profile

What’s New In App PP v1.4

Marina IbrishimovaCommon Criteria

The Protection Profile for Application Software (APP PP) v1.4 has recently been published. Here are some key points from our initial review.

  • PP-Modules. Vendors are now allowed to specify additional protection profiles (PPs) and PP-Modules in a PP-Configuration with APP PP v1.4. Previously, only PP-Module for VPN Clients was allowed to be claimed with this PP.
  • SSH. Functional package for Secure Shell (SSH) v1.0 was added to APP PP v1.4. The Extended Package for Secure Shell (SSH) v1.0, which is about to sunset on November 13th, 2021, is superseded by the Functional Package for Secure Shell (SSH).
  • MEC. An optional selection to include FDP_PRT_EXT.1 from the PP-module for file encryption was added to FMT_MEC_EXT.1.
  • X509. Clarifications on when FIA_X509_EXT.1/2 need to be claimed.
Read More

Understanding the IUT and MIP Lists and Their Wait Times

Gillian BedrosianFIPS 140-2, FIPS 140-3

The most common question we receive from clients on the FIPS Validation process is: “after my validation report has been sent to the Cryptographic Module Validation Program (“CMVP”), how long will it take to complete the Validation?”. This post outlines the various stages for a module to be validated in the CMVP’s review process, as well as the average duration of each stage.

Read More

Beyond the testing: FIPS 140-3 documentation inputs

Grace Grundy and Jason CunninghamEntropy, FIPS 140-2, FIPS 140-3

First time vendors to the FIPS 140 validation process are often not aware of the scope of supporting documentation and evidence required. These documentation inputs are integral to the lab being able to perform and finalize the full validation process.

The set of documents described below provide the testers with in an in-depth description, with evidence, of how a cryptographic implementation complies with the FIPS 140 standard and the most current Implementation Guidance (IG) from the CMVP.  The core documents are the first thing the Lab will evaluate and ultimately forms the basis of the report that the CMVP assesses in consideration of awarding the validation. As an independent third-party, laboratories are not permitted to author original design documentation for cryptographic modules under test.  As such, it’s important for vendors to plan their FIPS strategy in advance to determine if they should “build or buy” the documentation / consulting support that will be required.  Generating adequately detailed documentation and design information can be time-consuming and onerous depending on your experience and the complexity of the module being validated.  This effort should not be underestimated and needs to be factored into the overall cost and effort of undertaking a FIPS 140 validation.  

Read More

Product Development. What’s Assurance Got To Do With It?

Garrett NickelCommon Criteria

Observations from a CC newcomer

If you’re new to Common Criteria (CC), you might be feeling a little overwhelmed and find yourself wondering if the effort in performing the certification is really worth it. As a newcomer to the industry myself, I can relate. However, as I learn more about the process, I can also tell you that it can be a worthwhile investment for an organization on many levels.

At first glance, you might think that CC is just another framework or standard that requires yet another “audit”. While it is an international standard (ISO/IEC 15408), the real difference vs many other frameworks lies within the core of what Common Criteria is all about. Product Assurance.

Read More

FIPS 140-3 Is Here!

Jason Lawlor and James RamageFIPS 140-3

The countdown is on. As of September 22, 2021, FIPS 140-2 will be sunset and only FIPS 140-3 validations can be submitted to the Cryptographic Module Validation Program (CMVP). In this latest post, we cover the key differences in the versions and where to find additional information.

Read More