FIPS Validation: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
m (Removing vandalism by Buljlwmg.)
(Note products implementing FIPS mode NSS)
 
(71 intermediate revisions by 8 users not shown)
Line 1: Line 1:
== NSS FIPS 140-2 validation ==
== NSS FIPS 140 validation ==


NSS has completed FIPS validation three times already (1997, 1999, and 2002), and is now undergoing a fourth evaluation. This page documents our plans for the
Softoken is a component of [[NSS]], and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in '''NSS 3.12.4''' and '''NSS 3.12.5''' and '''NSS 3.12.6'''. Binaries are available [https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/ | here].
current NSS FIPS validation.


Target Release: [[NSS]] 3.11.4
NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View [http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ] here. View the [[FIPS2009]] validation here.


November 16, 2006: BKP Security submitted the test report to NIST for validation. We advanced to the Review Pending state on the [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List].
This page documents our current NSS FIPS 140 validation.
 
June 30, 2006: we have received the remaining four algorithm certificates: RNG ([http://csrc.nist.gov/cryptval/rng/rngval.html#208 certificate #208]), DSA ([http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 certificate #172]), RSA ([http://csrc.nist.gov/cryptval/dss/rsaval.html#152 certificate #152]), and ECDSA ([http://csrc.nist.gov/cryptval/dss/ecdsaval.html#30 certificate #30]).
 
June 23, 2006: we are now on the [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List].
 
June 15, 2006: we addressed the deficiencies in Chapter 1-4 of the documentation.
 
April 13, 2006 status: we are having RNG, DSA, and RSA validated now. We are updating our Security Policy and writing our responses to the vendor requirements in the FIPS 140-2 Derived Test Requirements (DTR).
 
January 20, 2006 status: we have received four algorithm certificates: AES ([http://www.csrc.nist.gov/cryptval/aes/aesval.html#352 certificate #352]), Triple DES ([http://csrc.nist.gov/cryptval/des/tripledesval.html#410 certificate #410]), SHS ([http://csrc.nist.gov/cryptval/shs/shaval.htm#426 certificate #426]), and HMAC ([http://csrc.nist.gov/cryptval/mac/hmacval.html#152 certificate #152]).
 
=== Platforms ===


== Platforms for 2011 ==
* Level 1
* Level 1
** RHEL '''4''' x86 (was: RHEL '''3''' x86)
** RHEL '''6''' x86 32 bit (no AES-NI)
** Windows XP Service Pack 2
** RHEL '''6''' x86 64 bit
** 64-bit Solaris 10 AMD64
** HP-UX B.11.11 PA-RISC
** Mac OS X 10.4
* Level 2
** RHEL 4 '''x86_64''' (was: RHEL 4 '''x86''')
** 64-bit Trusted Solaris 8 SPARC


=== Schedule ===
== Algorithms ==


{| border="1" cellpadding="2"
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.  
|-
! Milestone !! Item !! Deps !! Time !! Who !! Completed
|-
| M1 || Initial Setup || || || ||
|-
| 1a || Choose validation Lab, approve costs, and sign NDA || all ||  || all || [http://www.bkpsecurity.com/ BKP Security ]
|-
| 1b || [http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf Review FIPs 140-2 and compare to FIPS 140-1] || all || || || X
|-
| 1c || BKP Training course June 21st and June 22nd ||  || || glen, jullien, Darren, Wan-Teh, Bob || X
|-
| 1d || Define Algorithms, Key Sizes and modes || || || || X
|-
| M2 || Complete NSS 3.11 FIPS dependant bugs  || || || || X
|-
| M3  || Update documentation (numbers in parentheses refer to sections in FIPS documentation) || || || || 
|-
| 3a. || (1.0) Security policy, new algorithms || 1d || 2 wks || all || ongoing
|-
| 3b. || Generate annotated source tree (LXR -> HTML) || M2 || || glen || ongoing
|-
| 3c. || (2.0) Finite State Machine || 3b || 3 wks || ||
|-
| 3d. || (3.0/4.0) Cryptographic Module Definition || 3b ||  2 wks || ||
|-
| 3e. || (6.0) Software Security (rules-to-code map) || 3b || 2 wks || ||
|-
| 3f. || (8.0) Key Management Generate 20K random #'s || || 1 day || ||
|-
| 3g. || (9.0) Cryptographic Algs || 3a || 3 days || ||
|-
| 3h. || (10.0) Operational Test Plan || || 1 day || || 
|-
| 3i. || Document architectural changes between 3.2 and 3.11 ||  || 5 days || ||
|-
| M4 || Send docs to testing lab  || || || ||
|-
| 4a. || Security Policy || || all || ongoing ||
|-
| 4b. || Finite State Machine || 3c || || || 
|-
| 4c. || Module Def. / rules-to-code || 3d,3e || || ||
|-
| M5  || Operational validation || || || ||
|-
| 5a. || Algorithm testing || || 1 month || ||
|-
| 5b. || Operational testing || 3h || 1 week || ||
|-
| 5c || set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)  || || || ||
|-
| M6 || Internal QA of docs || M2-M5 || 1 week || all ||
|-
| M7 || Communication between NSS team / Lab / NIST about status of validation / algorithm certificates || M1-5 || 3-6 mos || all ||
|}
 
<BR>


=== Algorithms ===
{| border="1" cellpadding="2" summary="Algorithms"
 
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms:
{| border="1" cellpadding="2"
|+
|-
|-
!Algorithms !! Key Size !! Modes !! Testing Completed
!Algorithms !! Key Size !! Modes !! Certificates


|-
|-
![http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES]  
![http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html TripleDES]  
| KO 1,2,3 (56,112,168)
| KO 1,2,3 (56,112,168)
||
||
Line 106: Line 27:
TCBC(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)
||  
||  
[http://csrc.nist.gov/cryptval/des/tripledesval.html#410 Certificate #410] for x86 CPUs<br><br>
Pending
[http://csrc.nist.gov/cryptval/des/tripledesval.html#469 Certificate #469] for non-x86 CPUs
|-
|-
! [http://csrc.nist.gov/cryptval/aes/aesval.html AES]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html AES]  
| 128/192/256
| 128/192/256
||
||
Line 115: Line 35:
CBC(e/d; 128,192,256)
CBC(e/d; 128,192,256)
||  
||  
[http://csrc.nist.gov/cryptval/aes/aesval.html#352 Certificate #352]
Pending
|-
|-
![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)]
![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)]
[http://csrc.nist.gov/cryptval/shs/shaval.htm SHS]  
[http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm SHS]  
|
|
SHA-1  (BYTE-only)<br>
SHA-1  (BYTE-only)<br>
Line 125: Line 45:
SHA-512 (BYTE-only)
SHA-512 (BYTE-only)
|| N/A ||  
|| N/A ||  
[http://csrc.nist.gov/cryptval/shs/shaval.htm#426 Certificate #426]
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/mac/hmacval.html HMAC]
! [http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html HMAC]
|  
|  
HMAC-SHA1, HMAC-SHA256,<br>
HMAC-SHA1, HMAC-SHA256,<br>
Line 136: Line 56:
KeySize > BlockSize  
KeySize > BlockSize  
||  
||  
[http://csrc.nist.gov/cryptval/mac/hmacval.html#152 Certificate #152]
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/rng/rngval.html RNG]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html DRBG]  
| N/A  
| N/A  
||   
||   
FIPS 186-2
Hash_DRBG of [http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf NIST SP 800-90]
[(x-Change Notice);
(SHA-1)]<br>
FIPS 186-2 General Purpose
[(x-Change Notice);
(SHA-1)]
||  
||  
[http://csrc.nist.gov/cryptval/rng/rngval.html#208 Certificate #208]
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/dsaval.htm DSA]  
| 512-1024 ||
| 512-1024 ||
PQG(gen)MOD(ALL);<br>
PQG(gen)MOD(1024);<br>
PQG(ver)MOD(ALL);<br>
PQG(ver)MOD(1024);<br>
KEYGEN(Y)MOD(ALL);<br>
KEYGEN(Y)MOD(1024);<br>
SIG(gen)MOD(ALL);<br>
SIG(gen)MOD(1024);<br>
SIG(ver)MOD(ALL);
SIG(ver)MOD(1024);
||  
||  
[http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 Certificate #172]
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/dss/rsaval.html RSA]  
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html RSA]  
| 1024-8192 ||   
| 1024-8192 ||   
ALG[RSASSA-PKCS1_V1_5];  SIG(gen);   
ALG[RSASSA-PKCS1_V1_5];  SIG(gen);   
SIG(ver);  
SIG(ver);  
||
||
[http://csrc.nist.gov/cryptval/dss/rsaval.html#152 Certificate #152]
Pending
|-
|-
! [http://csrc.nist.gov/cryptval/dss/ecdsaval.html ECDSA]
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA]
(Extended ECC)
(Extended ECC)
| 163-571 ||
| 163-571 ||
Line 175: Line 90:
SIG(ver): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );
||  
||  
[http://csrc.nist.gov/cryptval/dss/ecdsaval.html#30 Certificate #30]
Not In 2011 Validation
|-
|-
! [http://csrc.nist.gov/cryptval/dss/ecdsaval.html ECDSA]
! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA]
(Basic ECC)
(Basic ECC)
| 256-521 ||
| 256-521 ||
Line 185: Line 100:
SIG(ver): CURVES( P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );
||  
||  
[http://csrc.nist.gov/cryptval/dss/ecdsaval.html#37 Certificate #37]
Not In 2011 Validation
|}
|}


In this validation, we should validate AES and Triple DES first because their
== Dependant Bugs ==
implementations are stable.  Next we should test SHS because RNG and DSA depend on SHA-1.  After SHS is tested, we can test HMAC.  Finally, when the new RNG
{| border="1" cellpadding="2" summary="Dependent Bugs"
and big num library code is checked in, we can test the rest of the algorithms
(RNG, DSA, and RSA).
 
=== Dependant Bugs ===
{| border="1" cellpadding="2"
|-
|-
! Bug !! Description !! Completed  
! Bug !! Description !! Completed  
|-  
|-  
|[https://bugzilla.mozilla.org/show_bug.cgi?id=259135 259135] || power-up self-tests needed for SHA-256,384,512 and AES || Completed
||| ||  
|-
|}
| [https://bugzilla.mozilla.org/show_bug.cgi?id=294106 294106] || Implement the recommended PRNG changes described in FIPS 186-2 Change Notice 1 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298506 298506 ] || Implement logging for auditable events required by FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298511 298511 ] || Increase FIPS 186-2 RNG internal state size || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298512 298512 ] || Ensure the seed and seed key input for RNG do not have same value for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298513 298513 ] || Implement pairwise consistency test for key transport key generation FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298514 298514 ]|| Implement pairwise consistency for digitial signature key generation for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298516 298516 ] || Implement minimum length of PINs for FIPS 140-2 mode || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298517 298517 ] || Implement minimum time intervals for login attempts failures for FIPS 140-2 || Completed
|-
| [https://bugzilla.mozilla.org/show_bug.cgi?id=298520 298520 ] || Implement key establishment must be as secure as the strength of the key being transported for FIPS 140-2 || Completed
|-
|[https://bugzilla.mozilla.org/show_bug.cgi?id=298522 298522 ] || Implement more power-up self tests, such as HMAC, RSA for FIPS 140-2 || Completed
|-
|[https://bugzilla.mozilla.org/show_bug.cgi?id=305984 305984 ] || Update the isFIPS information  SSLCipherSuiteInfo table || Completed


|-
== Testing Lab ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318958 318958 ] || Implement TDEA algorithm tests for FIPS 140-2 validation || Completed
[http://www.saic.com/infosec/testing-accreditation/ SAIC ]


|-
== FIPS 140 Information ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318962 318962 ] || Implement SHS algorithm tests for FIPS 140-2 validation || Completed


|-
[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]  
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318964 318964 ] || Implement HMAC algorithm tests for FIPS 140-2 validation || Completed


|-
[http://csrc.nist.gov/CryptoToolkit/ NIST Crypto Toolkit ]
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318966 318966 ] || Implement RNG algorithm tests for FIPS 140-2 validation || Completed


|-
== NSS FIPS 140-2 Validation Docs ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318967 318967 ] || Implement DSA  algorithm tests for FIPS 140-2 validation || Completed


|-
[[ NSSCryptoModuleSpec | NSS FIPS 140-2 Validation Docs ]]
|[https://bugzilla.mozilla.org/show_bug.cgi?id=318970 318970 ] || Implement RSA algorithm tests for FIPS 140-2 validation || Completed


|-
== FIPS 140-2 Derived Test Requirements (DTR) ==
|[https://bugzilla.mozilla.org/show_bug.cgi?id=312395 312395 ] || Enhance fipstest to perform FIPS AES algorithm testing || Completed


|-
|[https://bugzilla.mozilla.org/show_bug.cgi?id=342362 342362 ] || Need https://ftp.mozilla.org for secure download of NSS releases. || Completed


|}
[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]
 
=== Testing Lab ===
[http://www.bkpsecurity.com/ BKP Security ]
 
=== FIPS Information ===


[http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ]


[http://csrc.nist.gov/CryptoToolkit/ NIST Crypto Toolkit ]
== Vendor Information ==


== NSS FIPS 140-2 Validation Docs ==
This validation is supported and maintained by the following corporations:


[[ NSSCryptoModuleSpec | NSS FIPS 140-2 Validation Docs ]]
Red Hat, Inc.: http://www.redhat.com/about/contact/


== FIPS 140-2 Derived Test Requirements (DTR) ==
== Products Implementing FIPS 140-2 Validated NSS ==


* [https://www.redhat.com Red Hat Enterprise Linux] ([https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard#enabling-fips-mode Documentation])


[[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]]
<BR>
[[Category:NSS]]

Latest revision as of 20:19, 20 November 2017

NSS FIPS 140 validation

Softoken is a component of NSS, and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available | here.

NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View | NSS FIPS validation history here. View the FIPS2009 validation here.

This page documents our current NSS FIPS 140 validation.

Platforms for 2011

  • Level 1
    • RHEL 6 x86 32 bit (no AES-NI)
    • RHEL 6 x86 64 bit

Algorithms

Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.

Algorithms Key Size Modes Certificates
TripleDES KO 1,2,3 (56,112,168)

TECB(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)

Pending

AES 128/192/256

ECB(e/d; 128,192,256)
CBC(e/d; 128,192,256)

Pending

SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)

SHS

SHA-1 (BYTE-only)
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)

N/A

Pending

HMAC

HMAC-SHA1, HMAC-SHA256,
HMAC-SHA384, HMAC-SHA512

KeySize < BlockSize,
KeySize = BlockSize,
KeySize > BlockSize

Pending

DRBG N/A

Hash_DRBG of NIST SP 800-90

Pending

DSA 512-1024

PQG(gen)MOD(1024);
PQG(ver)MOD(1024);
KEYGEN(Y)MOD(1024);
SIG(gen)MOD(1024);
SIG(ver)MOD(1024);

Pending

RSA 1024-8192

ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver);

Pending

ECDSA

(Extended ECC)

163-571

PKG: CURVES( ALL-P ALL-K ALL-B );
PKV: CURVES( ALL-P ALL-K ALL-B );
SIG(gen): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );

Not In 2011 Validation

ECDSA

(Basic ECC)

256-521

PKG: CURVES( ALL-P P-256 P-384 P-521 );
PKV: CURVES( ALL-P P-256 P-384 P-521 );
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );

Not In 2011 Validation

Dependant Bugs

Bug Description Completed

Testing Lab

SAIC

FIPS 140 Information

NIST Cryptographic Module Validation Program

NIST Crypto Toolkit

NSS FIPS 140-2 Validation Docs

NSS FIPS 140-2 Validation Docs

FIPS 140-2 Derived Test Requirements (DTR)

FIPS 140-2 Derived Test Requirements (DTR)


Vendor Information

This validation is supported and maintained by the following corporations:

Red Hat, Inc.: http://www.redhat.com/about/contact/

Products Implementing FIPS 140-2 Validated NSS


Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Validation&oldid=1184489"