FIPS Validation

american flash native tattoo art flash tattoo work angel flash tattoo wing flash flower lotus tattoo art flash japanese tattoo aztec calendar flash tattoo tattoo shop in florida ink miami shop tattoo las vegas tattoo shop piercing and tattoo shop san diego tattoo shop big daddy tattoo shop tattoo shop in chicago tattoo shop in houston tattoo shop in miami san francisco tattoo shop tattoo shop in california los angeles tattoo shop san antonio tattoo shop low rider tattoo shop tattoo shop new york tattoo shop in toronto tattoo shop in michigan tattoo shop in maryland tattoo shop orange county tattoo shop in dallas tattoo shop t shirt tattoo shop in hawaii tattoo shop new jersey outer limit tattoo shop bay area tattoo shop tattoo shop in minnesota tattoo shop in texas tattoo shop in atlanta tattoo shop in ohio long island tattoo shop tattoo shop for sale tattoo shop in georgia tattoo shop in illinois tattoo shop in sacramento tattoo shop in pa san jose tattoo shop tattoo shop web site tattoo shop in vegas enchanted dragon tattoo shop tattoo shop in winnipeg cross infinity picture tattoo cross design tattoo tribal cross greek orthodox tattoo cross pic tattoo tribal cross hands praying tattoo angel cross tattoo wings back cross lower tattoo christian cross design tattoo cross greek letter tattoo cross side stomach tattoo cross in memory tattoo bones cross skull tattoo cross eva longoria tattoo cross justin tattoo timberlake bone cross skull tattoo back butterfly lower tattoo butterfly flower picture tattoo butterfly by harley tattoo butterfly design tattoo tribal butterfly design fairy tattoo butterfly fairy flower tattoo butterfly design flower tattoo butterfly fairy picture tattoo butterfly gallery picture tattoo butterfly design online tattoo black butterfly design tattoo black butterfly tattoo white butterfly picture tattoo unique butterfly free gallery tattoo butterfly ink iron tattoo butterfly ink miami tattoo butterfly design flash tattoo butterfly fairy tattoo tribal butterfly design picture tattoo butterfly picture small tattoo butterfly design floral tattoo picture of tribal tattoo tribal art tattoo picture tribal sun tattoo picture upper back tribal tattoo behind neck tattoo tribal tribal armband tattoo picture free tribal tattoo flash tribal dragon picture tattoo half sleeve tribal tattoo sea turtle tribal tattoo american native tribal tattoo tribal body art tattoo free tribal cross tattoo free tribal tattoo art tribal sun tattoo pic tribal arm tattoo picture tribal cross tattoo pic band pacific tattoo tribal heart tribal tattoo picture

== NSS FIPS 140-2 validation ==NSS has completed FIPS validation three times already (1997, 1999, and 2002), and is now undergoing a fourth evaluation. This page documents our plans for thecurrent NSS FIPS validation.Target Release: NSS 3.11.4November 16, 2006: BKP Security submitted the test report to NIST for validation. We advanced to the Review Pending state on the FIPS 140-2 Pre-validation List.June 30, 2006: we have received the remaining four algorithm certificates: RNG (certificate #208), DSA (certificate #172), RSA (certificate #152), and ECDSA (certificate #30).June 23, 2006: we are now on the FIPS 140-2 Pre-validation List.June 15, 2006: we addressed the deficiencies in Chapter 1-4 of the documentation.April 13, 2006 status: we are having RNG, DSA, and RSA validated now. We are updating our Security Policy and writing our responses to the vendor requirements in the FIPS 140-2 Derived Test Requirements (DTR).January 20, 2006 status: we have received four algorithm certificates: AES (certificate #352), Triple DES (certificate #410), SHS (certificate #426), and HMAC (certificate #152).=== Platforms ===* Level 1** RHEL 4 x86 (was: RHEL 3 x86)** Windows XP Service Pack 2** 64-bit Solaris 10 AMD64** HP-UX B.11.11 PA-RISC** Mac OS X 10.4* Level 2** RHEL 4 x86_64 (was: RHEL 4 x86)** 64-bit Trusted Solaris 8 SPARC=== Schedule ==={| border="1" cellpadding="2"|-! Milestone !! Item !! Deps !! Time !! Who !! Completed |- | M1 || Initial Setup || || || |||-| 1a || Choose validation Lab, approve costs, and sign NDA || all || || all || BKP Security |-| 1b || Review FIPs 140-2 and compare to FIPS 140-1 || all || || || X|- | 1c || BKP Training course June 21st and June 22nd || || || glen, jullien, Darren, Wan-Teh, Bob || X|-| 1d || Define Algorithms, Key Sizes and modes || || || || X |- | M2 || Complete NSS 3.11 FIPS dependant bugs || || || || X|-| M3 || Update documentation (numbers in parentheses refer to sections in FIPS documentation) || || || || |-| 3a. || (1.0) Security policy, new algorithms || 1d ||2 wks || all ||ongoing |-| 3b. || Generate annotated source tree (LXR -> HTML) || M2 || || glen || ongoing|-| 3c. || (2.0) Finite State Machine || 3b || 3 wks || |||-| 3d. || (3.0/4.0) Cryptographic Module Definition || 3b || 2 wks || |||-| 3e. || (6.0) Software Security (rules-to-code map) ||3b || 2 wks || |||-| 3f. || (8.0) Key Management Generate 20K random #'s || || 1 day || || |-| 3g. || (9.0) Cryptographic Algs || 3a || 3 days || || |-| 3h. || (10.0) Operational Test Plan || || 1 day || || |-| 3i. || Document architectural changes between 3.2 and 3.11 || || 5 days || || |-| M4 || Send docs to testing lab || || || |||-| 4a. || Security Policy || || all || ongoing || |-| 4b. || Finite State Machine || 3c || || || |-| 4c. || Module Def. / rules-to-code ||3d,3e || || |||-| M5 || Operational validation || || || || |-| 5a. || Algorithm testing || || 1 month || || |-| 5b. || Operational testing ||3h || 1 week || |||-| 5c || set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) || || || |||-| M6 ||Internal QA of docs || M2-M5 ||1 week || all |||-| M7 ||Communication between NSS team / Lab / NIST about status of validation / algorithm certificates || M1-5 || 3-6 mos || all || |}
=== Algorithms === Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms: {| border="1" cellpadding="2"|+|-!Algorithms !! Key Size !! Modes !! Testing Completed |-!TripleDES | KO 1,2,3 (56,112,168)||TECB(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)|| Certificate #410 for x86 CPUs

Certificate #469 for non-x86 CPUs|-! AES | 128/192/256||ECB(e/d; 128,192,256)
CBC(e/d; 128,192,256)|| Certificate #352|-!SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)SHS |SHA-1 (BYTE-only)
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)|| N/A || Certificate #426|-! HMAC| HMAC-SHA1, HMAC-SHA256,
HMAC-SHA384, HMAC-SHA512 || KeySize < BlockSize,
KeySize = BlockSize,
KeySize > BlockSize || Certificate #152|-! RNG | N/A || FIPS 186-2[(x-Change Notice);(SHA-1)]
FIPS 186-2 General Purpose[(x-Change Notice);(SHA-1)]|| Certificate #208|-! DSA | 512-1024 ||PQG(gen)MOD(ALL);
PQG(ver)MOD(ALL);
KEYGEN(Y)MOD(ALL);
SIG(gen)MOD(ALL);
SIG(ver)MOD(ALL);|| Certificate #172|-! RSA | 1024-8192 || ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver); ||Certificate #152|-! ECDSA(Extended ECC)| 163-571 ||PKG: CURVES( ALL-P ALL-K ALL-B );
PKV: CURVES( ALL-P ALL-K ALL-B );
SIG(gen): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );|| Certificate #30|-! ECDSA(Basic ECC)| 256-521 ||PKG: CURVES( ALL-P P-256 P-384 P-521 );
PKV: CURVES( ALL-P P-256 P-384 P-521 );
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );|| Certificate #37|}In this validation, we should validate AES and Triple DES first because theirimplementations are stable. Next we should test SHS because RNG and DSA depend on SHA-1. After SHS is tested, we can test HMAC. Finally, when the new RNGand big num library code is checked in, we can test the rest of the algorithms(RNG, DSA, and RSA).=== Dependant Bugs ==={| border="1" cellpadding="2"|-! Bug !! Description !! Completed |- |259135 || power-up self-tests needed for SHA-256,384,512 and AES || Completed |- | 294106 || Implement the recommended PRNG changes described in FIPS 186-2 Change Notice 1 || Completed|- | 298506 || Implement logging for auditable events required by FIPS 140-2 || Completed|- | 298511 || Increase FIPS 186-2 RNG internal state size || Completed|- | 298512 || Ensure the seed and seed key input for RNG do not have same value for FIPS 140-2 || Completed|- | 298513 || Implement pairwise consistency test for key transport key generation FIPS 140-2 || Completed|- | 298514 || Implement pairwise consistency for digitial signature key generation for FIPS 140-2 || Completed|- | 298516 || Implement minimum length of PINs for FIPS 140-2 mode || Completed|- | 298517 || Implement minimum time intervals for login attempts failures for FIPS 140-2 || Completed|- | 298520 || Implement key establishment must be as secure as the strength of the key being transported for FIPS 140-2 || Completed|-|298522 || Implement more power-up self tests, such as HMAC, RSA for FIPS 140-2 || Completed|-|305984 || Update the isFIPS information SSLCipherSuiteInfo table || Completed|-|318958 || Implement TDEA algorithm tests for FIPS 140-2 validation || Completed|-|318962 || Implement SHS algorithm tests for FIPS 140-2 validation || Completed|-|318964 || Implement HMAC algorithm tests for FIPS 140-2 validation || Completed|-|318966 || Implement RNG algorithm tests for FIPS 140-2 validation || Completed|-|318967 || Implement DSA algorithm tests for FIPS 140-2 validation || Completed|-|318970 || Implement RSA algorithm tests for FIPS 140-2 validation || Completed|-|312395 || Enhance fipstest to perform FIPS AES algorithm testing || Completed|-|342362 || Need https://ftp.mozilla.org for secure download of NSS releases. || Completed|}=== Testing Lab === BKP Security === FIPS Information ===NIST Cryptographic Module Validation Program NIST Crypto Toolkit == NSS FIPS 140-2 Validation Docs == NSS FIPS 140-2 Validation Docs == FIPS 140-2 Derived Test Requirements (DTR) == FIPS 140-2 Derived Test Requirements (DTR)

FIPS Validation

Navigation menu

Search