In this short tutorial, we demonstrate how to generate the AES response files used in CAVP algorithm testing. The OpenSSL FIPS Object Module 2.0.16 is used for this demonstration.
On the Road with Mobile Certifications
At Lightship Security, we are all about certifying at the speed of development. Therefore, we are proud to announce our new mobile certifications laboratory. With over 1200 cubic feet of interior high-tech laboratory goodness, we can handle even your most demanding certification needs. The 10-cylinder, 350 horsepower motor will have us rolling into your neighbourhood before the ink dries on the contract.
Look for Lightship Security Mobile Certifications near you. For more information about this amazing industry-first service, click here.
Building the OpenSSL FIPS 140-2 Object Module
In a short video tutorial, Lightship Security walks viewers through the basic steps to build the OpenSSL FIPS 140‑2 (2.0.10) object module in accordance with the OpenSSL FIPS 140‑2 Security Policy.
How to get on the NIAP Product Compliant List (PCL)
Many vendors seeking to sell hardware or software to the U.S. Government, particularly to defense and intelligence agencies, will find that cyber security product certification is mandated by federal procurement requirements (CNSSP 11) for these environments. We know, because many of our clients come to us for this very reason – fast, efficient, low risk evaluations that ultimately end up on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL).
Lightship Security interview with Ottawa Business Journal
Our President Jason Lawlor talks with the Ottawa Business Journal to explain what Lightship Security is all about. Interview topics include:
- An introduction to Lightship Security… and why the name Lightship?
- Product certification and Common Criteria overview
- Certification at the Speed of Development using our Greenlight test automation platform
- Lightship Security innovation and growth strategy
Gathering Raw Unconditioned Entropy in a Live Linux System
As part of our continued product development efforts supporting assurance modernization, the Lightship team sometimes develop useful experimental tools or proofs of concepts. A while ago we developed a proof of concept to extract raw unconditioned entropy from a live running Linux system using the SystemTap API to produce loadable kernel modules. This was done as an exercise to explore Linux entropy characteristics. The code has been sitting around relatively unused, so we’ve decided to open it up under the GPL. It has been cleaned up a bit with additional informative comments, but this is proof-of-concept code with no warrant of fitness. You can find it on our GitHub account.
Read More
Quantitative Analysis of Entropy
[Jan 12, 2018 update: With the final release of NIST SP 800-90B, we’ve updated this post to reflect the new published status of this NIST SP as well as to correct any differences between rev2 and the final publication.]
It had been almost two years since NIST SP800-90B, draft 2 was released. When the final special publication was released on January 10, 2018, we hadn’t expect it to change as dramatically as between draft 1 to draft 2. After a cursory review, it would appear there are only minor changes to the quantitative elements. With the new published status, we will expect many Common Criteria schemes — if they don’t already — to soon mandate quantitative analysis of the raw entropy source.
While SP 800-90B was in draft form, North American schemes (NIAP and CSE) have permitted labs to evaluate a quantitative analysis (if available) or a qualitative analysis of a vendor’s entropy source. Qualitative analysis is usually relied upon when raw entropy is not easily obtained (such as from hardware sources or from closed-source systems), but is often onerous to author and often inefficient to get through evaluation. By contrast, quantitative analysis can bypass significant discussions on the merits of otherwise opaque hardware and software constructs and quantify the raw entropy as a single number. In this technical post, we will discuss one structured approach to quantitative analysis of a raw entropy source.
Code for NIST Entropy Health Testing
[Jan 12, 2018 update: With the final release of NIST SP 800-90B, we’ve updated the sample health test code to match the minor changes between rev2 and the final version. The narrative of this post with respect to requirements for Common Criteria has been updated below as well to reflect the new published status of this NIST SP.]
In Common Criteria, there has been increasing emphasis on the evaluation of the entropy used by manufacturers in the development and deployment of their systems. The following post discusses considerations and approaches for entropy health testing.
Health testing is, of course, necessary to ensure the proper functioning of the noise being provided to the critical components of the cryptographic systems. Therefore, if a vendor is investing resources in ensuring a strongly seeded DRBG, there should be some effort expended on doing some form of health testing.
Agile Assurance: Modernizing IT Product Certification
In an agile development model, software is developed in incremental, rapid cycles with the goal of continuous improvement, fast flaw remediation and improved customer experience. Agile models advocate adaptive planning, evolutionary development, early delivery, fast iterations, and rapid response to change.
Can modern product assurance programs be designed to keep pace with agile development? At Lightship Security, we think so. In fact, we’ve made it our mission: Certification at the speed of development. We believe that a shift to “agile assurance” is a necessary step towards restoring trust and credibility to the cyber supply chain.
In this post, we are concerned with options to improve assurance outcomes provided by internationally adopted product certification programs. As a company, our focus is on developing solutions that support a modernized approach to product certification. This includes moving our industry towards agile assurance using contextual automation and supporting methodologies – we want to disrupt product certification as we know it.
NDcPP – The devil is in the details
In this post, we identify some common problem areas for vendors complying with the Network Device Collaborative Protection Profile (NDcPP). We’ll discuss how Lightship has adjusted to the new reality that every product going against the very prescriptive NDcPP will have gaps because of the strict level of conformance required – even if the same product was tested against a previous version of NDPP / NDcPP.