FIPS Validation: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
mNo edit summary
Line 3: Line 3:
Softoken is a component of [[NSS]], and has a separate version number. The most recent FIPS validated Softoken is 3.11.4 and is in '''NSS 3.11.4''' and '''NSS 3.11.5'''.
Softoken is a component of [[NSS]], and has a separate version number. The most recent FIPS validated Softoken is 3.11.4 and is in '''NSS 3.11.4''' and '''NSS 3.11.5'''.


NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007. View [[ http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ]] here.  This page documents our recent NSS FIPS 140 validation.
NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007. View [[ http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ]] here.   
 
This page documents our current NSS FIPS 140 validation.


==Updates==
==Updates==
Line 9: Line 11:
Spring/Summer 2009 FIPS 140 validation will be based on Softoken 3.12.x  
Spring/Summer 2009 FIPS 140 validation will be based on Softoken 3.12.x  


=== Platforms for 2009 ===
== Platforms for 2009 ==
* Level 1
* Level 1
** Windows XP Service Pack 2
** Windows XP Service Pack 2
Line 21: Line 23:
** Solaris 10 64-bit x86_64
** Solaris 10 64-bit x86_64


=== Schedule ===


{| border="1" cellpadding="2" summary="schedule table"
|-
! Milestone !! Item !! Deps !! Time !! Who !! Completed
|-
| M1 || Initial Setup || || || ||
|-
| 1a || Choose validation Lab, approve costs, and sign NDA || all ||  || all ||  [http://www.atlanlabs.com/ Atlan] 
|-
| 1d || Define Algorithms, Key Sizes and modes || || || || 
|-
| M2 || Complete NSS 3.12 FIPS dependant bugs  || || || ||
|-
| M3  || Update documentation (numbers in parentheses refer to sections in FIPS documentation) || || || || 
|-
| 3a. || (1.0) Security policy, new algorithms || 1d || 2 wks || all ||
|-
| 3b. || Generate annotated source tree (LXR -> HTML) || M2 || || ||
|-
| 3c. || (2.0) Finite State Machine || 3b || 3 wks || ||
|-
| 3d. || (3.0/4.0) Cryptographic Module Definition || 3b ||  2 wks || ||
|-
| 3e. || (6.0) Software Security (rules-to-code map) || 3b || 2 wks || ||
|-
| 3f. || (8.0) Key Management Generate 20K random #'s || || 1 day || || 
|-
| 3g. || (9.0) Cryptographic Algs || 3a || 3 days || ||
|-
| 3h. || (10.0) Operational Test Plan || || 1 day || || 
|-
| 3i. || Document architectural changes between 3.2 and 3.11 ||  || 5 days || || 
|-
| M4 || Send docs to testing lab  || || || ||
|-
| 4a. || Security Policy || || all ||  ||
|-
| 4b. || Finite State Machine || 3c || || || 
|-
| 4c. || Module Def. / rules-to-code || 3d,3e || || ||
|-
| M5  || Operational validation || || || ||
|-
| 5a. || Algorithm testing || || 1 month || || 
|-
| 5b. || Operational testing || 3h || 1 week || ||
|-
| 5c || set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)  || || || ||
|-
| M6 || Internal QA of docs || M2-M5 || 1 week || all ||
|-
| M7 || Communication between NSS team / Lab / NIST about status of validation / algorithm certificates || M1-5 || 3-6 mos || all ||
|}
<BR>


=== Algorithms ===  
== Algorithms ==


Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms. Previous certificates are shown for softoken 3.11.4 and we will update when new certificates are granted.  
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms. Previous certificates are shown for softoken 3.11.4 and we will update when new certificates are granted.  
Line 168: Line 115:
|}
|}


=== Dependant Bugs ===
== Dependant Bugs ==
{| border="1" cellpadding="2" summary="Dependent Bugs"
{| border="1" cellpadding="2" summary="Dependent Bugs"
|-
|-
Line 176: Line 123:
|}
|}


=== Testing Lab ===  
== Testing Lab ==
[http://www.atlanlabs.com/ Atlan Labs ]
[http://www.atlanlabs.com/ Atlan Labs ]


=== FIPS 140 Information ===
== FIPS 140 Information ==


[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]  
[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]  
Line 194: Line 141:
[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]
[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]


== Schedule ==
{| border="1" cellpadding="2" summary="schedule table"
|-
! Milestone !! Item !! Deps !! Time !! Who !! Completed
|-
| M1 || Initial Setup || || || ||
|-
| 1a || Choose validation Lab, approve costs, and sign NDA || all ||  || all ||  [http://www.atlanlabs.com/ Atlan] 
|-
| 1d || Define Algorithms, Key Sizes and modes || || || || 
|-
| M2 || Complete NSS 3.12 FIPS dependant bugs  || || || ||
|-
| M3  || Update documentation (numbers in parentheses refer to sections in FIPS documentation) || || || || 
|-
| 3a. || (1.0) Security policy, new algorithms || 1d || 2 wks || all ||
|-
| 3b. || Generate annotated source tree (LXR -> HTML) || M2 || || ||
|-
| 3c. || (2.0) Finite State Machine || 3b || 3 wks || ||
|-
| 3d. || (3.0/4.0) Cryptographic Module Definition || 3b ||  2 wks || ||
|-
| 3e. || (6.0) Software Security (rules-to-code map) || 3b || 2 wks || ||
|-
| 3f. || (8.0) Key Management Generate 20K random #'s || || 1 day || || 
|-
| 3g. || (9.0) Cryptographic Algs || 3a || 3 days || ||
|-
| 3h. || (10.0) Operational Test Plan || || 1 day || || 
|-
| 3i. || Document architectural changes between 3.2 and 3.11 ||  || 5 days || || 
|-
| M4 || Send docs to testing lab  || || || ||
|-
| 4a. || Security Policy || || all ||  ||
|-
| 4b. || Finite State Machine || 3c || || || 
|-
| 4c. || Module Def. / rules-to-code || 3d,3e || || ||
|-
| M5  || Operational validation || || || ||
|-
| 5a. || Algorithm testing || || 1 month || || 
|-
| 5b. || Operational testing || 3h || 1 week || ||
|-
| 5c || set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)  || || || ||
|-
| M6 || Internal QA of docs || M2-M5 || 1 week || all ||
|-
| M7 || Communication between NSS team / Lab / NIST about status of validation / algorithm certificates || M1-5 || 3-6 mos || all ||
|}
<BR>
[[Category:NSS]]
[[Category:NSS]]

Revision as of 18:12, 14 May 2009

NSS FIPS 140 validation

Softoken is a component of NSS, and has a separate version number. The most recent FIPS validated Softoken is 3.11.4 and is in NSS 3.11.4 and NSS 3.11.5.

NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007. View [[ http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ]] here.

This page documents our current NSS FIPS 140 validation.

Updates

Spring/Summer 2009 FIPS 140 validation will be based on Softoken 3.12.x

Platforms for 2009

  • Level 1
    • Windows XP Service Pack 2
    • Mac OS X 10.5
  • Level 2
    • RHEL 5 x86 32 bit
    • RHEL 5 x86 64 bit
    • Solaris 10 64-bit SPARC v9
    • Solaris 10 32-bit SPARC v8+
    • Solaris 10 32-bit x86
    • Solaris 10 64-bit x86_64


Algorithms

Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms. Previous certificates are shown for softoken 3.11.4 and we will update when new certificates are granted.

Algorithms Key Size Modes Certificates
TripleDES KO 1,2,3 (56,112,168)

TECB(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)

AES 128/192/256

ECB(e/d; 128,192,256)
CBC(e/d; 128,192,256)

SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)

SHS

SHA-1 (BYTE-only)
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)

N/A
HMAC

HMAC-SHA1, HMAC-SHA256,
HMAC-SHA384, HMAC-SHA512

KeySize < BlockSize,
KeySize = BlockSize,
KeySize > BlockSize

RNG N/A

Hash_DRBG of NIST SP 800-90

DSA 512-1024

PQG(gen)MOD(ALL);
PQG(ver)MOD(ALL);
KEYGEN(Y)MOD(ALL);
SIG(gen)MOD(ALL);
SIG(ver)MOD(ALL);

RSA 1024-8192

ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver);

ECDSA

(Extended ECC)

163-571

PKG: CURVES( ALL-P ALL-K ALL-B );
PKV: CURVES( ALL-P ALL-K ALL-B );
SIG(gen): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );

ECDSA

(Basic ECC)

256-521

PKG: CURVES( ALL-P P-256 P-384 P-521 );
PKV: CURVES( ALL-P P-256 P-384 P-521 );
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );

Dependant Bugs

Bug Description Completed

Testing Lab

Atlan Labs

FIPS 140 Information

NIST Cryptographic Module Validation Program

NIST Crypto Toolkit

NSS FIPS 140-2 Validation Docs

NSS FIPS 140-2 Validation Docs

FIPS 140-2 Derived Test Requirements (DTR)

FIPS 140-2 Derived Test Requirements (DTR)

Schedule

Milestone Item Deps Time Who Completed
M1 Initial Setup
1a Choose validation Lab, approve costs, and sign NDA all all Atlan
1d Define Algorithms, Key Sizes and modes
M2 Complete NSS 3.12 FIPS dependant bugs
M3 Update documentation (numbers in parentheses refer to sections in FIPS documentation)
3a. (1.0) Security policy, new algorithms 1d 2 wks all
3b. Generate annotated source tree (LXR -> HTML) M2
3c. (2.0) Finite State Machine 3b 3 wks
3d. (3.0/4.0) Cryptographic Module Definition 3b 2 wks
3e. (6.0) Software Security (rules-to-code map) 3b 2 wks
3f. (8.0) Key Management Generate 20K random #'s 1 day
3g. (9.0) Cryptographic Algs 3a 3 days
3h. (10.0) Operational Test Plan 1 day
3i. Document architectural changes between 3.2 and 3.11 5 days
M4 Send docs to testing lab
4a. Security Policy all
4b. Finite State Machine 3c
4c. Module Def. / rules-to-code 3d,3e
M5 Operational validation
5a. Algorithm testing 1 month
5b. Operational testing 3h 1 week
5c set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)
M6 Internal QA of docs M2-M5 1 week all
M7 Communication between NSS team / Lab / NIST about status of validation / algorithm certificates M1-5 3-6 mos all


Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Validation&oldid=144192"