|
|
| (42 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| == NSS FIPS 140 validation == | | == NSS FIPS 140 validation == |
|
| |
|
| NSS has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007. This page documents our recent NSS FIPS 140 validation. | | Softoken is a component of [[NSS]], and has a separate version number. The most recent FIPS validated Softoken is 3.12.4 and is in '''NSS 3.12.4''' and '''NSS 3.12.5''' and '''NSS 3.12.6'''. Binaries are available [https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/ | here]. |
|
| |
|
| Target Release: Softoken 3.11.4
| | NSS softoken has completed FIPS 140 validation four times: 1997, 1999, 2002, 2007 and 2009. View [http://www.mozilla.org/projects/security/pki/nss/fips/ | NSS FIPS validation history ] here. View the [[FIPS2009]] validation here. |
|
| |
|
| Softoken is a component of [[NSS]], and has a separate version number. Softoken 3.11.4 is in '''NSS 3.11.4''' and '''NSS 3.11.5''', which means these two versions of NSS will both be '''FIPS 140 validated'''.
| | This page documents our current NSS FIPS 140 validation. |
| | |
| ==Updates==
| |
| | |
| '''August 27, 2007: Our Level 2 cert has been issued! [http://csrc.nist.gov/cryptval/140-1/140val-all.htm#814 NSS Level 2 Cert]'''
| |
| | |
| | |
| '''August 8, 2007: Our Level 1 cert has been issued! [http://csrc.nist.gov/cryptval/140-1/140val-all.htm#815 NSS Level 1 Cert]'''
| |
| | |
| August 2, 2007: we advanced to Finalization state according to [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List]. This means the certs should be issued soon.
| |
| | |
| March 23, 2007: we advanced to Coordination state according to [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List]. This means we are in the final stages, answering questions from NIST. One more state to go...
| |
| | |
| January 18, 2007: we advanced to the In Review state on the [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List]. This means the two-month wait for a NIST reviewer to be assigned to our case is over.
| |
| | |
| November 16, 2006: Aspect Labs submitted the test report to NIST for validation. We advanced to the Review Pending state on the [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List].
| |
| | |
| June 30, 2006: we have received the remaining four algorithm certificates: RNG ([http://csrc.nist.gov/cryptval/rng/rngval.html#208 certificate #208]), DSA ([http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 certificate #172]), RSA ([http://csrc.nist.gov/cryptval/dss/rsaval.html#152 certificate #152]), and ECDSA ([http://csrc.nist.gov/cryptval/dss/ecdsaval.html#30 certificate #30]).
| |
| | |
| June 23, 2006: we are now on the [http://csrc.nist.gov/cryptval/140-1/preval.htm FIPS 140-2 Pre-validation List].
| |
| | |
| June 15, 2006: we addressed the deficiencies in Chapter 1-4 of the documentation.
| |
| | |
| April 13, 2006 status: we are having RNG, DSA, and RSA validated now. We are updating our Security Policy and writing our responses to the vendor requirements in the FIPS 140-2 Derived Test Requirements (DTR).
| |
| | |
| January 20, 2006 status: we have received four algorithm certificates: AES ([http://www.csrc.nist.gov/cryptval/aes/aesval.html#352 certificate #352]), Triple DES ([http://csrc.nist.gov/cryptval/des/tripledesval.html#410 certificate #410]), SHS ([http://csrc.nist.gov/cryptval/shs/shaval.htm#426 certificate #426]), and HMAC ([http://csrc.nist.gov/cryptval/mac/hmacval.html#152 certificate #152]).
| |
| | |
| === Platforms ===
| |
|
| |
|
| | == Platforms for 2011 == |
| * Level 1 | | * Level 1 |
| ** RHEL '''4''' x86 (was: RHEL '''3''' x86) | | ** RHEL '''6''' x86 32 bit (no AES-NI) |
| ** Windows XP Service Pack 2
| | ** RHEL '''6''' x86 64 bit |
| ** 64-bit Solaris 10 AMD64
| |
| ** HP-UX B.11.11 PA-RISC
| |
| ** Mac OS X 10.4
| |
| * Level 2
| |
| ** RHEL 4 '''x86_64''' (was: RHEL 4 '''x86''') | |
| ** 64-bit Trusted Solaris 8 SPARC
| |
| | |
| === Schedule ===
| |
| | |
| {| border="1" cellpadding="2" summary="schedule table"
| |
| |-
| |
| ! Milestone !! Item !! Deps !! Time !! Who !! Completed
| |
| |-
| |
| | M1 || Initial Setup || || || ||
| |
| |-
| |
| | 1a || Choose validation Lab, approve costs, and sign NDA || all || || all || [http://www.bkpsecurity.com/ Aspect Labs ]
| |
| |-
| |
| | 1b || [http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf Review FIPs 140-2 and compare to FIPS 140-1] || all || || || X
| |
| |-
| |
| | 1c || Aspect Labs Training course June 21st and June 22nd || || || || X
| |
| |-
| |
| | 1d || Define Algorithms, Key Sizes and modes || || || || X
| |
| |-
| |
| | M2 || Complete NSS 3.11 FIPS dependant bugs || || || || X
| |
| |-
| |
| | M3 || Update documentation (numbers in parentheses refer to sections in FIPS documentation) || || || ||
| |
| |-
| |
| | 3a. || (1.0) Security policy, new algorithms || 1d || 2 wks || all || x
| |
| |-
| |
| | 3b. || Generate annotated source tree (LXR -> HTML) || M2 || || || x
| |
| |-
| |
| | 3c. || (2.0) Finite State Machine || 3b || 3 wks || || x
| |
| |-
| |
| | 3d. || (3.0/4.0) Cryptographic Module Definition || 3b || 2 wks || || x
| |
| |-
| |
| | 3e. || (6.0) Software Security (rules-to-code map) || 3b || 2 wks || || x
| |
| |-
| |
| | 3f. || (8.0) Key Management Generate 20K random #'s || || 1 day || || x
| |
| |-
| |
| | 3g. || (9.0) Cryptographic Algs || 3a || 3 days || || x
| |
| |-
| |
| | 3h. || (10.0) Operational Test Plan || || 1 day || || x
| |
| |-
| |
| | 3i. || Document architectural changes between 3.2 and 3.11 || || 5 days || || x
| |
| |-
| |
| | M4 || Send docs to testing lab || || || || x
| |
| |-
| |
| | 4a. || Security Policy || || all || || x
| |
| |-
| |
| | 4b. || Finite State Machine || 3c || || || x
| |
| |-
| |
| | 4c. || Module Def. / rules-to-code || 3d,3e || || || x
| |
| |-
| |
| | M5 || Operational validation || || || || x
| |
| |-
| |
| | 5a. || Algorithm testing || || 1 month || || x
| |
| |-
| |
| | 5b. || Operational testing || 3h || 1 week || || x
| |
| |-
| |
| | 5c || set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) || || || || x
| |
| |-
| |
| | M6 || Internal QA of docs || M2-M5 || 1 week || all || x
| |
| |-
| |
| | M7 || Communication between NSS team / Lab / NIST about status of validation / algorithm certificates || M1-5 || 3-6 mos || all || x
| |
| |}
| |
|
| |
|
| <BR>
| | == Algorithms == |
|
| |
|
| === Algorithms ===
| | Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms. |
|
| |
|
| Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms:
| |
| {| border="1" cellpadding="2" summary="Algorithms" | | {| border="1" cellpadding="2" summary="Algorithms" |
| |- | | |- |
| !Algorithms !! Key Size !! Modes !! Testing Completed | | !Algorithms !! Key Size !! Modes !! Certificates |
|
| |
|
| |- | | |- |
| ![http://csrc.nist.gov/cryptval/des/tripledesval.html TripleDES] | | ![http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html TripleDES] |
| | KO 1,2,3 (56,112,168) | | | KO 1,2,3 (56,112,168) |
| || | | || |
| Line 119: |
Line 27: |
| TCBC(e/d; KO 1,2,3) | | TCBC(e/d; KO 1,2,3) |
| || | | || |
| [http://csrc.nist.gov/cryptval/des/tripledesval.html#410 Certificate #410] for x86 CPUs<br><br>
| | Pending |
| [http://csrc.nist.gov/cryptval/des/tripledesval.html#469 Certificate #469] for non-x86 CPUs
| |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/aes/aesval.html AES] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html AES] |
| | 128/192/256 | | | 128/192/256 |
| || | | || |
| Line 128: |
Line 35: |
| CBC(e/d; 128,192,256) | | CBC(e/d; 128,192,256) |
| || | | || |
| [http://csrc.nist.gov/cryptval/aes/aesval.html#352 Certificate #352]
| | Pending |
| |- | | |- |
| ![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)] | | ![http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf/ SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)] |
| [http://csrc.nist.gov/cryptval/shs/shaval.htm SHS] | | [http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm SHS] |
| | | | | |
| SHA-1 (BYTE-only)<br> | | SHA-1 (BYTE-only)<br> |
| Line 138: |
Line 45: |
| SHA-512 (BYTE-only) | | SHA-512 (BYTE-only) |
| || N/A || | | || N/A || |
| [http://csrc.nist.gov/cryptval/shs/shaval.htm#426 Certificate #426]
| | Pending |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/mac/hmacval.html HMAC] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html HMAC] |
| | | | | |
| HMAC-SHA1, HMAC-SHA256,<br> | | HMAC-SHA1, HMAC-SHA256,<br> |
| Line 149: |
Line 56: |
| KeySize > BlockSize | | KeySize > BlockSize |
| || | | || |
| [http://csrc.nist.gov/cryptval/mac/hmacval.html#152 Certificate #152]
| | Pending |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/rng/rngval.html RNG] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html DRBG] |
| | N/A | | | N/A |
| || | | || |
| FIPS 186-2
| | Hash_DRBG of [http://csrc.nist.gov/publications/nistpubs/800-90/SP800-90revised_March2007.pdf NIST SP 800-90] |
| [(x-Change Notice); | |
| (SHA-1)]<br>
| |
| FIPS 186-2 General Purpose
| |
| [(x-Change Notice);
| |
| (SHA-1)]
| |
| || | | || |
| [http://csrc.nist.gov/cryptval/rng/rngval.html#208 Certificate #208]
| | Pending |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/dss/dsaval.htm DSA] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/dsaval.htm DSA] |
| | 512-1024 || | | | 512-1024 || |
| PQG(gen)MOD(ALL);<br> | | PQG(gen)MOD(1024);<br> |
| PQG(ver)MOD(ALL);<br> | | PQG(ver)MOD(1024);<br> |
| KEYGEN(Y)MOD(ALL);<br> | | KEYGEN(Y)MOD(1024);<br> |
| SIG(gen)MOD(ALL);<br> | | SIG(gen)MOD(1024);<br> |
| SIG(ver)MOD(ALL); | | SIG(ver)MOD(1024); |
| || | | || |
| [http://csrc.nist.gov/cryptval/dss/dsaval.htm#172 Certificate #172]
| | Pending |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/dss/rsaval.html RSA] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html RSA] |
| | 1024-8192 || | | | 1024-8192 || |
| ALG[RSASSA-PKCS1_V1_5]; SIG(gen); | | ALG[RSASSA-PKCS1_V1_5]; SIG(gen); |
| SIG(ver); | | SIG(ver); |
| || | | || |
| [http://csrc.nist.gov/cryptval/dss/rsaval.html#152 Certificate #152]
| | Pending |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/dss/ecdsaval.html ECDSA] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA] |
| (Extended ECC) | | (Extended ECC) |
| | 163-571 || | | | 163-571 || |
| Line 188: |
Line 90: |
| SIG(ver): CURVES( ALL-P ALL-K ALL-B ); | | SIG(ver): CURVES( ALL-P ALL-K ALL-B ); |
| || | | || |
| [http://csrc.nist.gov/cryptval/dss/ecdsaval.html#30 Certificate #30]
| | Not In 2011 Validation |
| |- | | |- |
| ! [http://csrc.nist.gov/cryptval/dss/ecdsaval.html ECDSA] | | ! [http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsaval.html ECDSA] |
| (Basic ECC) | | (Basic ECC) |
| | 256-521 || | | | 256-521 || |
| Line 198: |
Line 100: |
| SIG(ver): CURVES( P-256 P-384 P-521 ); | | SIG(ver): CURVES( P-256 P-384 P-521 ); |
| || | | || |
| [http://csrc.nist.gov/cryptval/dss/ecdsaval.html#37 Certificate #37]
| | Not In 2011 Validation |
| |} | | |} |
|
| |
|
| In this validation, we should validate AES and Triple DES first because their
| | == Dependant Bugs == |
| implementations are stable. Next we should test SHS because RNG and DSA depend on SHA-1. After SHS is tested, we can test HMAC. Finally, when the new RNG
| |
| and big num library code is checked in, we can test the rest of the algorithms
| |
| (RNG, DSA, and RSA).
| |
| | |
| === Dependant Bugs ===
| |
| {| border="1" cellpadding="2" summary="Dependent Bugs" | | {| border="1" cellpadding="2" summary="Dependent Bugs" |
| |- | | |- |
| ! Bug !! Description !! Completed | | ! Bug !! Description !! Completed |
| |- | | |- |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=259135 259135] || power-up self-tests needed for SHA-256,384,512 and AES || Completed | | ||| || |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=294106 294106] || Implement the recommended PRNG changes described in FIPS 186-2 Change Notice 1 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298506 298506 ] || Implement logging for auditable events required by FIPS 140-2 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298511 298511 ] || Increase FIPS 186-2 RNG internal state size || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298512 298512 ] || Ensure the seed and seed key input for RNG do not have same value for FIPS 140-2 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298513 298513 ] || Implement pairwise consistency test for key transport key generation FIPS 140-2 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298514 298514 ]|| Implement pairwise consistency for digitial signature key generation for FIPS 140-2 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298516 298516 ] || Implement minimum length of PINs for FIPS 140-2 mode || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298517 298517 ] || Implement minimum time intervals for login attempts failures for FIPS 140-2 || Completed
| |
| |-
| |
| | [https://bugzilla.mozilla.org/show_bug.cgi?id=298520 298520 ] || Implement key establishment must be as secure as the strength of the key being transported for FIPS 140-2 || Completed
| |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=298522 298522 ] || Implement more power-up self tests, such as HMAC, RSA for FIPS 140-2 || Completed
| |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=305984 305984 ] || Update the isFIPS information SSLCipherSuiteInfo table || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318958 318958 ] || Implement TDEA algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318962 318962 ] || Implement SHS algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318964 318964 ] || Implement HMAC algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318966 318966 ] || Implement RNG algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318967 318967 ] || Implement DSA algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=318970 318970 ] || Implement RSA algorithm tests for FIPS 140-2 validation || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=312395 312395 ] || Enhance fipstest to perform FIPS AES algorithm testing || Completed
| |
| | |
| |-
| |
| |[https://bugzilla.mozilla.org/show_bug.cgi?id=342362 342362 ] || Need https://ftp.mozilla.org for secure download of NSS releases. || Completed
| |
| | |
| |} | | |} |
|
| |
|
| === Bugs to Fix ===
| | == Testing Lab == |
| | | [http://www.saic.com/infosec/testing-accreditation/ SAIC ] |
| After we submitted the NSS cryptographic module version 3.11.4 to NIST for validation, we found some bugs that are not serious enough to warrant retesting, but should be fixed if we have a chance to make changes to the module.
| |
| | |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=361089 Bug 361089]: memory leak in mp_bdivmod. (in NSS 3.11.7) '''Note:''' This bug fix requires retesting the ECDSA (Extended ECC) implementation.
| |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=331404 Bug 331404]: NSS may crash in initialization when windows file system contains REALLY OLD files. (in NSS 3.11.7) '''Note:''' The msvcr80.dll bug seems to have been fixed in Visual C++ 2005 SP1.
| |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=362173 Bug 362173]: The NSS cryptographic module should have its own version numbers. (in NSS 3.11.6)
| |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=362404 Bug 362404]: the browser's security component could not be initialized on Windows 95 OSR2.
| |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=51429 Bug 51429]: RNG_SystemInfoForRNG possible "netstat" zombie process (in NSS 3.11.6)
| |
| * [https://bugzilla.mozilla.org/show_bug.cgi?id=364684 Bug 364684]: NSS crashes when slot's session handle counter overflows. (in NSS 3.11.6)
| |
| | |
| === Testing Lab ===
| |
| [http://www.bkpsecurity.com/ Aspect Labs ] | |
|
| |
|
| === FIPS 140 Information ===
| | == FIPS 140 Information == |
|
| |
|
| [http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ] | | [http://csrc.nist.gov/cryptval/ NIST Cryptographic Module Validation Program ] |
| Line 290: |
Line 129: |
| [[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]] | | [[ FIPS 140-2 Vendor Requirement Docs | FIPS 140-2 Derived Test Requirements (DTR) ]] |
|
| |
|
| | |
| | == Vendor Information == |
| | |
| | This validation is supported and maintained by the following corporations: |
| | |
| | Red Hat, Inc.: http://www.redhat.com/about/contact/ |
| | |
| | == Products Implementing FIPS 140-2 Validated NSS == |
| | |
| | * [https://www.redhat.com Red Hat Enterprise Linux] ([https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard#enabling-fips-mode Documentation]) |
| | |
| | <BR> |
| [[Category:NSS]] | | [[Category:NSS]] |