Blog | Page 3 | Lightship Security

Beyond the testing: FIPS 140-3 documentation inputs

Grace Grundy and Jason Cunningham May 26, 2021Entropy, FIPS 140-2, FIPS 140-3

First time vendors to the FIPS 140 validation process are often not aware of the scope of supporting documentation and evidence required. These documentation inputs are integral to the lab being able to perform and finalize the full validation process.

The set of documents described below provide the testers with in an in-depth description, with evidence, of how a cryptographic implementation complies with the FIPS 140 standard and the most current Implementation Guidance (IG) from the CMVP. The core documents are the first thing the Lab will evaluate and ultimately forms the basis of the report that the CMVP assesses in consideration of awarding the validation. As an independent third-party, laboratories are not permitted to author original design documentation for cryptographic modules under test. As such, it’s important for vendors to plan their FIPS strategy in advance to determine if they should “build or buy” the documentation / consulting support that will be required. Generating adequately detailed documentation and design information can be time-consuming and onerous depending on your experience and the complexity of the module being validated. This effort should not be underestimated and needs to be factored into the overall cost and effort of undertaking a FIPS 140 validation.

Product Development. What’s Assurance Got To Do With It?

Garrett Nickel April 28, 2021Common Criteria

Observations from a CC newcomer

If you’re new to Common Criteria (CC), you might be feeling a little overwhelmed and find yourself wondering if the effort in performing the certification is really worth it. As a newcomer to the industry myself, I can relate. However, as I learn more about the process, I can also tell you that it can be a worthwhile investment for an organization on many levels.

At first glance, you might think that CC is just another framework or standard that requires yet another “audit”. While it is an international standard (ISO/IEC 15408), the real difference vs many other frameworks lies within the core of what Common Criteria is all about. Product Assurance.

FIPS 140-3 Is Here!

Jason Lawlor and James Ramage April 27, 2021FIPS 140-3

The countdown is on. As of September 22, 2021, FIPS 140-2 will be sunset and only FIPS 140-3 validations can be submitted to the Cryptographic Module Validation Program (CMVP). In this latest post, we cover the key differences in the versions and where to find additional information.

Ottawa’s Fastest Growing Companies 2021

Jason Lawlor March 29, 2021Lightship News

Lightship Security has been named as one of Ottawa’s Fastest Growing Companies for 2021.

Every year, the Ottawa Business Journal (OBJ) recognizes 10 regional companies for their substantial, sustainable, and profitable growth.

Fueled by continued innovation, reinvestment, and a good dose of grit – we have bootstrapped our way to substantial growth over a three-year period to earn a spot on the 2021 list. This is the second year in a row (the awards were postponed in 2020 due to Covid) that Lightship has made the top 10.

Mitigating risk for our clients through our modernized approach to 3rd party product security certifications has resulted in 5 straight years of more than 100% growth.

NIST 800-90B Input Data Considerations

Greg McLearn March 8, 2021Certifications, Common Criteria, Entropy, FIPS 140-2, Tools

For the past few years, the Common Criteria program has been mandating entropy analysis for almost all protection profile based evaluations. Since November 2020, NIST 800-90B has also become a mandatory requirement under the FIPS 140-2 and the forthcoming FIPS 140-3 program, meaning there is evaluation of entropy sources in both major North American security standards. Over the past few years, NIST has been fine-tuning an entropy analysis process to help quantify entropy sources as per the 800-90B standard. Their work can be found on the NIST public github page. In addition, new development on a web-based submission process has begun called the “Entropy Source Validation” program (ESV). This process will accept data from a registered entity and process the entropy source data via the NIST 800-90B entropy analysis tool.

This article focuses on an important, but sometimes overlooked, aspect of the entropy source validation process: ensuring the data is in a format appropriate to be read by the entropy assessment tool.

Great Place to Work

Jason Lawlor February 25, 2021Lightship News

Lightship Security has been certified as a Great Place to Work®!

This certification process is based on a thorough, independent analysis conducted by the Great Place to Work Institute® Canada. The certification is a result of direct feedback from employees, provided as part of an extensive and anonymous survey about their workplace experience.

Funding for NIST CAVP Vendor Software Platform

Jason Lawlor February 18, 2021ACVP, FIPS 140-2, FIPS 140-3

As part of our continued push to modernize the product security certification industry, Lightship Security is pleased to announce that it is receiving advisory services and conditional research and development funding from the National Research Council of Canada Industrial Research Assistance Program (NRC IRAP) supporting a project to develop and launch our innovative client facing cryptographic algorithm testing portal.

NIST 800-90B Concepts

James Ramage February 16, 2021Entropy, FIPS 140-2, FIPS 140-3

The claimed entropy source for a FIPS 140 validated module now requires compliance to NIST SP800-90B. This means that any cryptographic module going through FIPS 140-2 or FIPS 140-3 validation needs to adhere to NIST implementation guidance 7.18 – Entropy Estimation and Compliance with SP 800-90B. This post will introduce relevant requirements and cover basic concepts of entropy source validation for a FIPS 140 module.

The Role of Cryptographic Algorithm Validations in Common Criteria (CAVP FAQ)

Lachlan Turner February 8, 2021ACVP, Certifications, Common Criteria, FIPS 140-2, FIPS 140-3

[Updated July 6, 2021 – NIAP requires exact match CPU specs in CAVP certificates]

Most CC evaluations performed in North America include cryptographic security claims called out in the target Protection Profile (PP) that is being used. Those requirements are met by obtaining validation certificates from the Cryptographic Algorithm Program (CAVP). The CAVP is a subset of the broader Cryptographic Module Validation Program (CMVP) that validates entire crypto modules against the FIPS 140-2/3 standard (ISO19790).

This post will explore the intersection between CC and FIPS 140 (in North America) and how the CAVP plays a key role in the eventual CC certification of a given product.

2020 – Hits and Misses

Jason Lawlor December 24, 2020Lightship News

Lightship Security is 5 years old this month. Time flies building a business through a pandemic.

Last year, we said that we would not go into 2020 resting on our previous success. Here is what we have achieved:

50%+ increase in technical and operational delivery capacity
100% + revenue growth – marking 5 straight years of at least doubling our business
The continued development of industry first tools including solutions for simplified automated algorithm testing through NIST and other technology advances (stay tuned!)
The opening of our new lab facilities and HQ expansion in Ottawa.
Became one of the top tier FIPS 140 validation test labs in the program by volume of projects in only 2 years since our initial accreditation
Continued re-investment into our people, technology development and delivery capabilities