FIPS Validation: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Note products implementing FIPS mode NSS)
 
(99 intermediate revisions by 10 users not shown)
Line 1: Line 1:
== NSS FIPS 140-2 validation ==
== NSS FIPS 140 validation ==


NSS has completed FIPS validation three times already (1997, 1999, and 2002), and is now undergoing a fourth evaluation. This page documents our plans for the
Softoken is a component of [[NSS]], and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in '''NSS 3.12.4''' and '''NSS 3.12.5''' and '''NSS 3.12.6'''. Binaries are available [https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/ | here].
current NSS FIPS validation.


Target Release: [[NSS]] 3.11
NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View [http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ] here. View the [[FIPS2009]] validation here.


January 20, 2006 status: we have received four algorithm certificates: AES ([http://www.csrc.nist.gov/cryptval/aes/aesval.html#352 certificate #352]), Triple DES ([http://csrc.nist.gov/cryptval/des/tripledesval.html#410 certificate #410]), SHS ([http://csrc.nist.gov/cryptval/shs/shaval.htm#426 certificate #426]), and HMAC ([http://csrc.nist.gov/cryptval/mac/hmacval.html#152 certificate #152]). We are having RNG, DSA, and RSA validated now.
This page documents our current NSS FIPS 140 validation.
 
=== Platforms ===


== Platforms for 2011 ==
* Level 1
* Level 1
** RHEL 4 x86
** RHEL '''6''' x86 32 bit (no AES-NI)
** Windows XP Service Pack 2
** RHEL '''6''' x86 64 bit
** 64-bit Solaris 10 AMD64
** HP-UX B.11.11 PA-RISC
** Mac OS X 10.4
* Level 2
** RHEL 3 or RHEL 4 x86 (see Note).
** 64-bit Trusted Solaris 8 SPARC
 
Note: Level 2 testing must be performed on an operating system that has received Common Criteria certification at level EAL2 or higher. Qualified operating systems today include RHEL 3 (EAL3), Trusted Solaris 8, and Windows 2000 (EAL4). If RHEL 4 achieves Common Criteria certification (at level EAL4) in time, we will perform level 2 testing on RHEL 4; otherwise we will do level 2 testing on RHEL 3.
 
=== Schedule ===


{| border="1" cellpadding="2"
== Algorithms ==
|-
! Milestone !! Item !! Deps !! Time !! Who !! Completed
|-
! M1 !! Initial Setup !! !! !! !!
|-
! 1a !! Choose validation Lab, approve costs, and sign NDA !! all !!  !! all !! [http://www.bkpsecurity.com/ BKP Security ]
|-
! 1b !! [http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf Review FIPs 140-2 and compare to FIPS 140-1] !! all !! !! !! X
|-
! 1c !! BKP Training course June 21st and June 22nd !!  !! !! glen,jullien,Darren,Wan-Teh,Bob !! X
|-
! 1d !! Define Algorithms, Key Sizes and modes !! !! !! !! X
|-
! M2 !! Complete NSS 3.11 FIPS dependant bugs  !! !! !! !! X
|-
! M3  !! Update documentation (numbers in parentheses refer to sections in FIPS documentation) !! !! !! !! 
|-
! 3a. !! (1.0) Security policy, new algorithms !! 1d !! 2 wks !! all !! ongoing
|-
! 3b. !! Generate annotated source tree (LXR -> HTML) !! M2 !! !! glen !! ongoing
|-
! 3c. !! (2.0) Finite State Machine !! 3b !! 3 wks !! !!
|-
! 3d. !! (3.0/4.0) Cryptographic Module Definition !! 3b !!  2 wks !! !!
|-
! 3e. !! (6.0) Software Security (rules-to-code map) !! 3b !! 2 wks !! !!
|-
! 3f. !! (8.0) Key Management Generate 20K random #'s !! !! 1 day !! !!
|-
! 3g. !! (9.0) Cryptographic Algs !! 3a !! 3 days !! !!
|-
! 3h. !! (10.0) Operational Test Plan !! !! 1 day !! !! 
|-
! 3i. !! Document architectural changes between 3.2 and 3.11 !!  !! 5 days !! !!
|-
! M4 !! Send docs to testing lab  !! !! !! !!
|-
! 4a. !! Security Policy !! !! all !! ongoing !!
|-
! 4b. !! Finite State Machine !! 3c !! !! !! 
|-
! 4c. !! Module Def. / rules-to-code !! 3d,3e !! !! !!
|-
! M5  !! Operational validation !! !! !! !!
|-
! 5a. !! Algorithm testing !! !! 1 month !! !!
|-
! 5b. !! Operational testing !! 3h !! 1 week !! !!
|-
! 5c !! set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)  !! !! !! !!
|-
! M6 !! Internal QA of docs !! M2-M5 !! 1 week !! all !!
|-
! M7 !! Communication between NSS team / Lab / NIST about status of validation / algorithm certificates !! M1-5 !! 3-6 mos !! all !!
|}


=== Algorithms ===
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.


Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms:
{| border="1" cellpadding="2" summary="Algorithms"
{| border="1" cellpadding="2"
|+
|-
|-
!Algorithms !! Key Size !! Modes !! Testing Completed
!Algorithms !! Key Size !! Modes !! Certificates


|-
|-
![http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES]  
![http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html TripleDES]  
| KO 1,2,3 (56,112,168)
| KO 1,2,3 (56,112,168)
||
||
TECB(e/d; KO 1,2,3)
TECB(e/d; KO 1,2,3)<br>
TCBC(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)
||  
||  
Completed
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/aes/aesval.html AES]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html AES]  
| 128/192/256
| 128/192/256
||
||
ECB(e/d; 128,192,256)
ECB(e/d; 128,192,256)<br>
CBC(e/d; 128,192,256)
CBC(e/d; 128,192,256)
||  
||  
Completed
Pending
|-
|-
![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)]
![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)]
[http://csrc.nist.gov/cryptval/shs/shaval.htm SHS]  
[http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm SHS]  
|
|
SHA-1  (BYTE-only)
SHA-1  (BYTE-only)<br>
SHA-256 (BYTE-only)
SHA-256 (BYTE-only)<br>
SHA-384 (BYTE-only)
SHA-384 (BYTE-only)<br>
SHA-512 (BYTE-only)
SHA-512 (BYTE-only)
|| N/A ||  
|| N/A ||  
Completed
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/mac/hmacval.html HMAC]
! [http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html HMAC]
|  
|  
HMAC-SHA1, HMAC-SHA256,  
HMAC-SHA1, HMAC-SHA256,<br>
HMAC-SHA384, HMAC-SHA512  
HMAC-SHA384, HMAC-SHA512  
||  
||  
KeySize < BlockSize,  
KeySize < BlockSize,<br>
KeySize = BlockSize,  
KeySize = BlockSize,<br>
KeySize < BlockSize  
KeySize > BlockSize  
||  
||  
Completed
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/rng/rngval.html RNG]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html DRBG]  
| N/A  
| N/A  
||   
||   
FIPS 186-2 General Purpose
Hash_DRBG of [http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf NIST SP 800-90]
[( x-Change Notice );
( SHA-1 )]
||  
||  
 
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/dsaval.htm DSA]  
| 512-1024 ||
| 512-1024 ||
PRIME;
PQG(gen)MOD(1024);<br>
PQG(gen)MOD(ALL);
PQG(ver)MOD(1024);<br>
PQG(ver)MOD(ALL);
KEYGEN(Y)MOD(1024);<br>
KEYGEN(Y)MOD(ALL);
SIG(gen)MOD(1024);<br>
SIG(gen)MOD(ALL);
SIG(ver)MOD(1024);
SIG(ver)MOD(ALL);
||  
||  
 
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/dss/rsaval.html RSA]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html RSA]  
| 1024-8092 ||   
| 1024-8192 ||   
ALG[RSASSA-PKCS1_V1_5];  SIG(gen);   
ALG[RSASSA-PKCS1_V1_5];  SIG(gen);   
SIG(ver);  
SIG(ver);  
||
||
Pending
|-
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA]
(Extended ECC)
| 163-571 ||
PKG: CURVES( ALL-P ALL-K ALL-B );<br>
PKV: CURVES( ALL-P ALL-K ALL-B );<br>
SIG(gen): CURVES( ALL-P ALL-K ALL-B );<br>
SIG(ver): CURVES( ALL-P ALL-K ALL-B );
||
Not In 2011 Validation
|-
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA]
(Basic ECC)
| 256-521 ||
PKG: CURVES( ALL-P P-256 P-384 P-521 );<br>
PKV: CURVES( ALL-P P-256 P-384 P-521 );<br>
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );<br>
SIG(ver): CURVES( P-256 P-384 P-521 );
||
Not In 2011 Validation
|}
|}


In this validation, we should validate AES and Triple DES first because their
== Dependant Bugs ==
implementations are stable.  Next we should test SHS because RNG and DSA depend on SHA-1.  After SHS is tested, we can test HMAC.  Finally, when the new RNG
{| border="1" cellpadding="2" summary="Dependent Bugs"
and big num library code is checked in, we can test the rest of the algorithms
(RNG, DSA, and RSA).
 
=== Dependant Bugs ===
{| border="1" cellpadding="2"
|-
|-
! Bug !! Description !! Completed  
! Bug !! Description !! Completed  
|-  
|-  
|[https://bugzilla.mozilla.org/show_bug.cgi?id=259135 259135] || power-up self-tests needed for SHA-256,384,512 and AES || Completed
||| ||  
|-
|}
| [https://bugzilla.mozilla.org/show_bug.cgi?id=294106 294106] || Implement the recommended PRNG changes described in FIPS 186-2 Change Notice 1 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298506 298506 ] || Implement logging for auditable events required by FIPS 140-2 || ?
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298511 298511 ] || Increase FIPS 186-2 RNG internal state size || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298512 298512 ] || Ensure the seed and seed key input for RNG do not have same value for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298513 298513 ] || Implement pairwise consistency test for key transport key generation FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298514 298514 ]|| Implement pairwise consistency for digitial signature key generation for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298516 298516 ] || Implement minimum length of PINs for FIPS 140-2 mode || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298517 298517 ] || Implement minimum time intervals for login attempts failures for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298520 298520 ] || Implement key establishment must be as secure as the strength of the key being transported for FIPS 140-2 || Patch submitted
|-
|[https://bugzilla.mozilla.org/show_bug.cgi?id=298522 298522 ] || Implement more power-up self tests, such as HMAC, RSA for FIPS 140-2 || Patch submitted


|-
== Testing Lab ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=305984 305984 ] || Update the isFIPS information  SSLCipherSuiteInfo table || Completed
[http://www.saic.com/infosec/testing-accreditation/ SAIC ]


|-
== FIPS 140 Information ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318958 318958 ] || Implement TDEA algorithm tests for FIPS 140-2 validation || Completed


|-
[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]  
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318962 318962 ] || Implement SHS algorithm tests for FIPS 140-2 validation || Completed


|-
[http://csrc.nist.gov/CryptoToolkit/ NIST Crypto Toolkit ]
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318964 318964 ] || Implement HMAC algorithm tests for FIPS 140-2 validation || Completed


|-
== NSS FIPS 140-2 Validation Docs ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318966 318966 ] || Implement RNG algorithm tests for FIPS 140-2 validation || Completed


|-
[[ NSSCryptoModuleSpec | NSS FIPS 140-2 Validation Docs ]]
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318967 318967 ] || Implement DSA  algorithm tests for FIPS 140-2 validation || In progress


|-
== FIPS 140-2 Derived Test Requirements (DTR) ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318970 318970 ] || Implement RSA algorithm tests for FIPS 140-2 validation || In progress


|-
|[https://bugzilla.mozilla.org/show_bug.cgi?id=312395 312395 ] || Enhance fipstest to perform FIPS AES algorithm testing || Completed


|}
[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]


=== Testing Lab ===
[http://www.bkpsecurity.com/ BKP Security ]


=== FIPS Information ===
== Vendor Information ==


[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]
This validation is supported and maintained by the following corporations:


[http://csrc.nist.gov/CryptoToolkit/ NIST Crypto Toolkit ]
Red Hat, Inc.: http://www.redhat.com/about/contact/


== NSS FIPS 140-2 Validation Docs ==
== Products Implementing FIPS 140-2 Validated NSS ==
 
[[ NSSCryptoModuleSpec | NSS FIPS 140-2 Validation Docs ]]
 
== FIPS 140-2 Derived Test Requirements (DTR) ==


* [https://www.redhat.com Red Hat Enterprise Linux] ([https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard#enabling-fips-mode Documentation])


[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]
<BR>
[[Category:NSS]]

Latest revision as of 20:19, 20 November 2017

NSS FIPS 140 validation

Softoken is a component of NSS, and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available | here.

NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View | NSS FIPS validation history here. View the FIPS2009 validation here.

This page documents our current NSS FIPS 140 validation.

Platforms for 2011

  • Level 1
    • RHEL 6 x86 32 bit (no AES-NI)
    • RHEL 6 x86 64 bit

Algorithms

Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.

Algorithms Key Size Modes Certificates
TripleDES KO 1,2,3 (56,112,168)

TECB(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)

Pending

AES 128/192/256

ECB(e/d; 128,192,256)
CBC(e/d; 128,192,256)

Pending

SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)

SHS

SHA-1 (BYTE-only)
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)

N/A

Pending

HMAC

HMAC-SHA1, HMAC-SHA256,
HMAC-SHA384, HMAC-SHA512

KeySize < BlockSize,
KeySize = BlockSize,
KeySize > BlockSize

Pending

DRBG N/A

Hash_DRBG of NIST SP 800-90

Pending

DSA 512-1024

PQG(gen)MOD(1024);
PQG(ver)MOD(1024);
KEYGEN(Y)MOD(1024);
SIG(gen)MOD(1024);
SIG(ver)MOD(1024);

Pending

RSA 1024-8192

ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver);

Pending

ECDSA

(Extended ECC)

163-571

PKG: CURVES( ALL-P ALL-K ALL-B );
PKV: CURVES( ALL-P ALL-K ALL-B );
SIG(gen): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );

Not In 2011 Validation

ECDSA

(Basic ECC)

256-521

PKG: CURVES( ALL-P P-256 P-384 P-521 );
PKV: CURVES( ALL-P P-256 P-384 P-521 );
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );

Not In 2011 Validation

Dependant Bugs

Bug Description Completed

Testing Lab

SAIC

FIPS 140 Information

NIST Cryptographic Module Validation Program

NIST Crypto Toolkit

NSS FIPS 140-2 Validation Docs

NSS FIPS 140-2 Validation Docs

FIPS 140-2 Derived Test Requirements (DTR)

FIPS 140-2 Derived Test Requirements (DTR)


Vendor Information

This validation is supported and maintained by the following corporations:

Red Hat, Inc.: http://www.redhat.com/about/contact/

Products Implementing FIPS 140-2 Validated NSS


Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Validation&oldid=1184489"