NIST 800-90B Input Data Considerations

Greg McLearnCertifications, Common Criteria, Entropy, FIPS 140-2, Tools

For the past few years, the Common Criteria program has been mandating entropy analysis for almost all protection profile based evaluations.  Since November 2020, NIST 800-90B has also become a mandatory requirement under the FIPS 140-2 and the forthcoming FIPS 140-3 program, meaning there is evaluation of entropy sources in both major North American security standards.  Over the past few years, NIST has been fine-tuning an entropy analysis process to help quantify entropy sources as per the 800-90B standard.  Their work can be found on the NIST public github page.  In addition, new development on a web-based submission process has begun called the “Entropy Source Validation” program (ESV).  This process will accept data from a registered entity and process the entropy source data via the NIST 800-90B entropy analysis tool.

This article focuses on an important, but sometimes overlooked, aspect of the entropy source validation process: ensuring the data is in a format appropriate to be read by the entropy assessment tool.

Read More

Great Place to Work

Jason LawlorLightship News

Lightship Security has been certified as a Great Place to Work®!

This certification process is based on a thorough, independent analysis conducted by the Great Place to Work Institute® Canada.  The certification is a result of direct feedback from employees, provided as part of an extensive and anonymous survey about their workplace experience.

Read More

Funding for NIST CAVP Vendor Software Platform

Jason LawlorACVP, FIPS 140-2, FIPS 140-3

As part of our continued push to modernize the product security certification industry, Lightship Security is pleased to announce that it is receiving advisory services and conditional research and development funding from the National Research Council of Canada Industrial Research Assistance Program (NRC IRAP) supporting a project to develop and launch our innovative client facing cryptographic algorithm testing portal.

Read More

NIST 800-90B Concepts

James RamageEntropy, FIPS 140-2, FIPS 140-3

The claimed entropy source for a FIPS 140 validated module now requires compliance to NIST SP800-90B. This means that any cryptographic module going through FIPS 140-2 or FIPS 140-3 validation needs to adhere to NIST implementation guidance 7.18 – Entropy Estimation and Compliance with SP 800-90B. This post will introduce relevant requirements and cover basic concepts of entropy source validation for a FIPS 140 module.

Read More

The Role of Cryptographic Algorithm Validations in Common Criteria (CAVP FAQ)

Lachlan TurnerACVP, Certifications, Common Criteria, FIPS 140-2, FIPS 140-3

[Updated July 6, 2021 – NIAP requires exact match CPU specs in CAVP certificates]

Most CC evaluations performed in North America include cryptographic security claims called out in the target Protection Profile (PP) that is being used.  Those requirements are met by obtaining validation certificates from the Cryptographic Algorithm Program (CAVP).  The CAVP is a subset of the broader Cryptographic Module Validation Program (CMVP) that validates entire crypto modules against the FIPS 140-2/3 standard (ISO19790).

This post will explore the intersection between CC and FIPS 140 (in North America) and how the CAVP plays a key role in the eventual CC certification of a given product.

Read More

2020 – Hits and Misses

Jason LawlorLightship News

Lightship Security is 5 years old this month.  Time flies building a business through a pandemic.

Last year, we said that we would not go into 2020 resting on our previous success.  Here is what we have achieved:

  • 50%+ increase in technical and operational delivery capacity
  • 100% + revenue growth – marking 5 straight years of at least doubling our business
  • The continued development of industry first tools including solutions for simplified automated algorithm testing through NIST and other technology advances (stay tuned!)
  • The opening of our new lab facilities and HQ expansion in Ottawa.
  • Became one of the top tier FIPS 140 validation test labs in the program by volume of projects in only 2 years since our initial accreditation
  • Continued re-investment into our people, technology development and delivery capabilities
Read More

FIPS 140-2 Validation Queue: The Waiting Game

Jason LawlorFIPS 140-2, FIPS 140-3

A common concern our clients have before undertaking a new FIPS 140-2 validation is understanding the various phases and the overall time it takes to get from start to finish.

One of the ways we manage our clients’ expectations is by letting them know the lab testing portion of the FIPS validation usually accounts for only a fraction of the overall schedule.  The much longer portion of the process (3x to 5x) is simply waiting for the validation report to be reviewed by the Cryptographic Module Validation Program (CMVP). 

Read More

Explicitly Parameterized ECDSA X.509 Certificates

Greg McLearnCommon Criteria

Update 2020-Aug-20: There appears to be a discussion within the OpenSSL project on the semantics of checking the OpenSSL flag we describe below. We are working to clarify this.

NIAP (the US Common Criteria Scheme) recently published a series of technical decisions (TDs) about the use of ECDSA X.509 certificates crossing numerous Protection Profiles. The concern with this new mandatory test is that cryptographic libraries, such as OpenSSL, do not (or may not) reject the requested certificates out of the box, which is now required. This means vendors will have to implement another customized check for X.509 certificates in order to be conformant to a number of Protection Profiles.

Read More

Multi-CA Capable OCSP Responder in OpenSSL

Greg McLearnCommon Criteria, Tools

At Lightship, we use a lot of open-source tools to perform our testing. Because of the nature of the tests we perform, we often find that these tools can be a bit too rigid. One specific example is that of the ocsp sub-tool provided in the apps directory of OpenSSL. In this blog post, we will describe the changes we made to the OCSP responder subtool and point to our implementation on github for your use and consideration.

Read More