In this multi-part Lightship Security video tutorial series geared toward vendors who are new to FIPS 140-2, we discuss the “origins” of a cryptographic module and the design requirements for FIPS 140-2 compliance. The tutorial also touches on self-tests and the concept of FIPS 140-2 “modes of operation” including Approved, non-Approved, and Mixed Modes. Stay tuned for further installments.
Read More
Edit 20-March-2019: NIAP published a v1.1 of the Functional Package which addresses many of the item discussed in this blog. The title of the blog is updated and ambiguities previously found are corrected where they’ve been addressed.
NIAP recently released their first, and widely anticipated, modular protection profile package targeting the TLS communication protocol. This package is not meant to stand on its own and is designed to be included within new versions of NIAP protection profiles. While it is unlikely to be explicitly referenced by collaborative Protection Profiles (cPP), the requirements will almost certainly be highly similar.
Read More
We took a strategic decision early on at Lightship Security to focus our initial Greenlight development efforts on automating the tests specified by the Network Device collaborative Protection Profile (NDcPP). There are two main reasons for this:
Now, we have automated the testing not only for NDcPP but also several other Protection Profiles by virtue of this SFR re-use. Below we present an analysis of the re-use of NDcPP requirements across NIAP Approved Protection Profiles (all but a few).
NDcPPv2.1 is hot off the presses from the Network iTC. It is yet to be officially accepted by NIAP for PCL usage however this is probably not too far off, perhaps with some minor tweaks (the new NTP SFR being something to watch).
Here are some notes from our initial review:
Since this article was posted, the international Network Interpretations Team has issued RFI 201824 stating that the send and receive keys can be independently rekeyed. Therefore, the requirement that the ‘aggregate’ traffic be counted is no longer mandated according to the iTC. NIAP has yet to endorse RFI 201824, meaning that still, as of April 2, 2019, NIAP still requires the aggregate be counted.
In the current version of the NDcPP there is a cryptographic Security Functional Requirement (SFR) called FCS_SSH*_EXT.1.8. On the face of it, FCS_SSH*_EXT.1.8 is a fairly straightforward SFR with a relatively straightforward means to enforce it:
FCS_SSHS_EXT.1.8: The TSF shall ensure that within SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of transmitted data. After either of the thresholds are reached a rekey needs to be performed.
However, it is vitally important to read the application note (Application Note 102 in NDcPP v2.0+20180314) that follows this SFR element, because one small detail appears to be catching vendors by surprise:
For the maximum transmitted data threshold, the total incoming and outgoing data needs to be counted.
Read More
In this short video tutorial, we examine the freely available FIPS 140-2 test suite which is part of the OpenSSL FIPS Object Module development package.
Undertaking a Common Criteria (CC) evaluation should not be an opaque process from a timing, process or cost perspective. In this post, the testing experts at Lightship provide 6 practical tips to ensure that you are getting the best value and outcomes for your certification dollar. The following is targeted primarily at Protection Profile (PP) based evaluations, but most also apply to Security Target (EAL) based projects.
Lightship Security Director of Consulting, Lachlan Turner, was nominated by the Government of Canada to participate in the International Atomic Energy Agency (IAEA) Technical Meeting on Reducing Cyber Risks in the Supply Chain which was held at IAEA’s Headquarters in Vienna, Austria, from 25 to 29 June 2018. Lachlan attended along with some 110 other delegates from around the world. Delegates included nuclear regulators, operators, suppliers and various other industry representatives.Read More
Or, maybe it is. In reality, the answer is that all automation is scripting but not all scripting is automation. Automation is really a maturation or evolution of scripting. Calculators script the mathematical principles defined by Thales, Pythagoras, Euclid and Archimedes. To-do applications script the act of making a list of tasks on a piece of paper and scratching them off. The directions given by Google Maps on a road trip script the job normally performed by the person with a paper map sitting in the passenger seat.
