FIPS Module Specification

From MozillaWiki
Jump to navigation Jump to search

This is a draft document

Cryptographic Module Specification

A series of security libraries represent the cryptographic module which present an application programmer interface (API) to client and server applications utilizing NSS. The libraries are compiled and built for specific platforms (see Platform List) and tagged with a release identifier to be published on mozilla.org. The release compliant with FIPS 140-2 is NSS 3.11.5.

The cryptographic module is defined to be a subset of the functions within these libraries. The subset is below the top layer of functions normally called by application programs. Functions that are being certified include TripleDES(KO 1,2,3 56/112/168), AES(128/192/256), SHS (SHA-1, -256, -384 -512), HMAC, DSA (512/1024), RSA (1024/8092).

Module Components

NSS is a software cryptographic implementation. No hardware or firmware components are include. All input to the module is via function argument; all output is returned to the caller either as return codes or as updated memory objects pointers to which constitute some of the arguments.

The Cryptographic Boundary

NSS's PKCS#11 (Cryptoki) implementation forms the cryptographic module. The API itself is considered to define the cryptographic boundary, thus all implementation is considered below the boundary. Also included in this module is the FIPS PKCS#11 token. This is a Cryptoki token designed specifically for FIPS, and allows applications using NSS to operate in a strictly FIPS-mode. The diagram below shows the relationship of the layers.

Fipsmod.png

Retrieved from "https://wiki.mozilla.org/index.php?title=FIPS_Module_Specification&oldid=24811"