FIPS Validation
NSS FIPS 140-2 validation
Target Release: NSS 3.11
Platforms
- Level 1
- RHEL 4 x86
- Windows XP Service Pack 2
- 64-bit Solaris 10 AMD64
- HP-UX B.11.11 PA-RISC
- Mac OS X 10.4
- Level 2
- RHEL 4 x86 (see Note).
- 64-bit Trusted Solaris 8 SPARC
Note: Level 2 testing must be performed on an operating system that has received Common Criteria EAL4 certification. The only two qualified operating systems today are Trusted Solaris 8 and Windows 2000. When RHEL 4 U1+ achieves Common Criteria EAL4 certification later this year level 2 testing will be perfomed on RHEL 4 U1+.
Schedule
| Milestone | Item | Deps | Time | Who | Completed |
|---|---|---|---|---|---|
| M1 | Initial Setup | ||||
| 1a | Choose validation Lab, approve costs, and sign NDA | all | all | X | |
| 1b | [Review FIPs 140-2 and compare to FIPS 140-1 | all | |||
| 1c | BKP Training course June 21st and June 22nd | glen,jullien,Darren,Wan-Teh,Bob | |||
| 1d | Define Algorithms, Key Sizes and modes | ||||
| M2 | Complete NSS 3.11 FIPS dependant bugs | ||||
| M3 | Update documentation (numbers in parentheses refer to sections in FIPS documentation) | ||||
| 3a. | (1.0) Security policy, new algorithms | 1d | 2 wks | all | ongoing |
| 3b. | Generate annotated source tree (LXR -> HTML) | M2 | glen | ongoing | |
| 3c. | (2.0) Finite State Machine | 3b | 3 wks | ||
| 3d. | (3.0/4.0) Cryptographic Module Definition | 3b | 2 wks | ||
| 3e. | (6.0) Software Security (rules-to-code map) | 3b | 2 wks | ||
| 3f. | (8.0) Key Management Generate 20K random #'s | 1 day | |||
| 3g. | (9.0) Cryptographic Algs | 3a | 3 days | ||
| 3h. | (10.0) Operational Test Plan | 1 day | |||
| 3i. | Document architectural changes between 3.2 and 3.11 | 5 days | |||
| M4 | Send docs to testing lab | ||||
| 4a. | Security Policy | all | ongoing | ||
| 4b. | Finite State Machine | 3c | |||
| 4c. | Module Def. / rules-to-code | 3d,3e | |||
| M5 | Operational validation | ||||
| 5a. | Algorithm testing | 1 month | |||
| 5b. | Operational testing | 3h | 1 week | ||
| 5c | set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) | ||||
| M6 | Internal QA of docs | M2-M5 | 1 week | all | |
| M7 | Communication between NSS team / Lab / NIST about status of validation / algorithm certificates | M1-5 | 3-6 mos | all |
Algorithms
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms:
| Algorithms | Key Size | Modes | Testing Completed |
|---|---|---|---|
| Triple DES | ? | ECB,CBC | |
| AES | 128/192/256 | N/A | |
| SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512) | ? | ? | |
| RNG | ? | ? | |
| HMAC | ? | ? | |
| DSA | ? | ? | |
| RSA (as specified in ANSI X9.31) | ? | ? | |
| Elliptic Curve DSA (ECDSA; as specified in ANSI X9.62) | ? | ? |
Dependant Bugs
| Bug | Completed |
|---|---|
| 259135 | ? |
| 288401 | ? |
| 297015 | ? |
Testing Lab
BKP Security became an accredited FIPS testing lab in the beginning of 2004.
FIPS Information
Nist Cryptographic Module Validation Program Nist Crypto Toolkit