follow-us

FIPS 140-2/3 News

Jason Lawlor ACVP, FIPS 140-2, FIPS 140-3

FIPS 140-2/3 Newsletter – June 23, 2020

2020 continues to bring several significant changes to the FIPS 140 program landscape.  Evolving algorithm and program transitions happening this year make it hard for vendors to stay up to date on all of the various activities and deadlines. To help, we provide our FIPS clients with regular updates on programmatic status and highlight possible areas that will impact existing or pending validation efforts.

Breaking FIPS 140-2 Update: On June 23rd, the CMVP announced the following important transition reminders and updates to a few key algorithms such as NIST SP 800-56A Rev. 3

Please confer with the testing experts at Lightship Security to determine how this announcement impacts any current or planned FIPS 140-2 validation project.

From the CMVP:

The following is a list of upcoming algorithm transitions, along with their dates and actions that will be taken because of the transition. 

FIPS 186-2 -> FIPS 186-4 (Per IG G.18)  

  • Transition date of September 1, 2020.  On September 1, 2020 all modules tested to FIPS 186-2 for any RSA-based functionality other than signature verification (with any modulus length) and signature generation with nlen=4096 will be moved to the historical list.  Please see IG G.18 for more details.    

(Note: Modules that support testing to FIPS 186-2 RSA SigGen only at 4096-bit modulus size will not be moved to the historical list because FIPS 186-4 SigGen testing at 4096-bit modulus was not made available until ACVP was later developed and 4096-bit testing was only available in FIPS 186-2 form via CAVS.)

SP 800-90B (per IG 7.18)

  • Transition date of November 7, 2020.  After November 7, 2020 the new submissions and the revalidations extending the lifetime of the module shall demonstrate compliance to SP 800-90B (if entropy estimation is applicable per IG 7.14). 
  • NDRNGs will be grandfathered, i.e. they will be allowed to be used in Approved Mode.  Modules using them will remain on the active list.

IG D.8 (SP 800-56Arev3 and SP 800-56Brev2) – Key Agreement

  • January 1, 2021 – The CMVP will not accept modules submissions with non-56Arev3 and non-56Brev2 compliant implementations in Approved Mode.
  • January 1, 2022 – The CMVP will move all modules with non-56Arev3-compliant implementations in Approved mode to the historical list.
  • January 1, 2024 – The CMVP will move all modules with non-56Brev2-compliant implementations in Approved mode to the historical list. 
  • The CMVP will allow modules with non-56Arev3-compliant implementations in Approved Mode to get validated after January 1, 2021, as long as the module submission was before January 1, 2021.  
  • The CMVP will allow modules with non-56Brev2-compliant implementations in Approved Mode to get validated after January 1, 2021, as long as the module submission was before January 1, 2021.  

IG D.9 (SP 800-56Brev2) – Key Transport

  • January 1, 2021 – The CMVP will not accept modules submissions with non-56Brev2 compliant implementations, with the only exception being if the scheme only uses a PKCS#1-v1.5 padding scheme as shown in Section 8.1 of RFC 2313. 
  • The CMVP will allow modules with non-56Br2 compliant implementations and non-PKCS#1-v1.5 schemes to get validated after January 1, 2021, as long as the module submission was before January 1, 2021. 
  • January 1, 2024 – The CMVP will move all modules with non-56Brev2 compliant implementations in Approved Mode to the historical list.

Triple-DES (SP 800-67 Rev2)

  • January 1, 2024 – The CMVP will move all modules that support Triple-DES Encryption in the Approved Mode to the historical list. 
  • The Triple-DES decryption, including its use in key unwrapping, will continue to be approved (for legacy use only) after December 31, 2023.

If you need any support with your FIPS validation requirements or would like to be on our FIPS newsletter distribution list, drop us a line at info@lightshipsec.com


FIPS 140-2/3 Newsletter – June 9, 2020

2020 is bringing several significant changes to the FIPS 140 program landscape.  After years of being relatively static, this year marks the transition to the long-awaited new version of the standard – FIPS 140-3.  Also new for this year is the rollout of the Automated Cryptographic Validation Testing System (ACVTS) starting in July. This marks a significant change in the process for how vendors need to validate their cryptographic algorithms going forward.  

These changes, plus the numerous algorithm transitions happening this year make it hard for vendors to stay up to date on all of the various activities and deadlines.  To help, we provide our FIPS clients with regular updates on programmatic status and highlight possible areas that will impact existing or pending validation efforts.

FIPS-related updates and reminders for June 11, 2020:

  1. The CMVP are now granting an extension of permission to do remote testing until August 31, 2020.  They will continue to monitor the situation and update this guidance as needed.  For vendors, this means that functional testing may be completed remotely by the lab to avoid travel during COVID19.
  2. The Cryptographic Module Users Forum (CMUF) have a new website (https://www.cmuf.org) which is now up and running.  Check it out!
  3. NIST Special Publication (SP) 800-133 Rev. 2, Recommendation for Cryptographic Key Generation – now available here: https://csrc.nist.gov/publications/detail/sp/800-133/rev-2/final – See “Appendix A: Revisions” for details.
  4. Cryptographic Algorithm Validation Program (CAVP) retirement and transition to ACVTS :

If you need any support with your FIPS validation requirements or would like to be on our FIPS newsletter distribution list, drop us a line at info@lightshipsec.com