Tuesday, March 22, 2016

Commercial Assurance of Cryptography in North America

Cryptographic Algorithm Validations

The Cryptographic Algorithm Validation Program (CAVP) is an organization that is managed solely by the National Institute of Standards and Technology (NIST). Information about the CAVP scheme, including the official validation lists, can be found at NIST's web page for the CAVP.

The CAVP certifies that certain algorithms and related security functions are implemented correctly through testing supervised by accredited testing laboratories using test vectors. This testing supports verification of the correctness of the algorithm implementation.

The CAVP was instigated to provide assurance that cryptographic algorithms are implemented correctly in cryptographic modules. NIST statistics have indicated that close to 26% of algorithms tested showed errors in implementation that were corrected as a result of the testing process.

In addition to satisfying NIST requirements, the assurance given by CAVP certification is widely used by other assurance programs and in some industries. The following are examples.

  • The Cryptographic Module Validation Program (CMVP), specifies that certificates, issued by the CAVP, for the Approved Security Functions are provided as a pre-requisite for the Federal Information Processing Standard (FIPS) 140-2 validation.

    Note that the CAVP and the CMVP are closely linked but are formally independent of each other.

  • The National Information Assurance Partnership (NIAP) specifies that certificates, issued by the CAVP must be provided for all NIST approved security functions specified in their Approved Protection Profiles for Common Criteria evaluation.

    Note that the NIAP Scheme Policy #5 for this topic also allows CMVP validation. This policy is supplemented with an FAQ. As noted above a CMVP validation against FIPS 140-2 will assure that the Cryptographic Alogorithm Validation System (CAVS) certificates are already in place.

  • The financial industry frequently specifies that CAVP certificates are provided to demonstrate assurance of implementation correctness.

  • The 2005 Voting System standards also recommends using CMVP validation (and hence the provision of CAVP certificates.)

Forward-looking vendors are turning to the CAVP certification scheme to provide assurance to an audience demanding assurance that algorithm implementations have been implemented correctly. Costs and the time needed to obtain CAVP certification are relatively small compared to certifications such as Common Criteria and FIPS 140-2.

It should be pointed out that CAVP certification does not by itself provide any assurance that the algorithm itself is sound. It does, however, provide assurance that the chosen algorithm was implemented correctly.

Cryptographic Module Validations

The CMVP is a joint program between NIST and the Canadian Security Establishment (CSE). This organization provides a validation and certification program for conformance claims to FIPS 140-2 a specification for Security Requirements for Cryptographic Modules.

Validated cryptographic modules are specified or accepted by a variety of organizations, including the following.

  • Cryptographic Modules validated as conforming to FIPS 140-1 and FIPS 140-2 are mandated, by law, to the Federal Agencies in the USA for the protection of sensitive information.

    "If a government agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated."

    The CMVP is responsible for validating cryptographic modules.

  • For National Security Systems, the DoD or CIA rather than NIST lead the way, with the following legislation and policies currently applicable.

    • The Committee on National Security Systems Policy (CNSSP)-11, the national policy governing the acquisition of information assurance (IA) and IA-enabled information technology products is applicable to all U.S. National Security Systems used by or on behalf of U.S. Government Departments and Agencies establishes the NIAP, which in turn has issued NIAP Scheme Policy #5 requiring CAVP validation and ideally CMVP validation. This policy is supplemented with an FAQ.

    • The Federal Information Security Management Act (FISMA) 2002 removed a waiver for FIPS 140-2 validation that was in place as FIPS 140-2 became widely adopted.

  • In Canada, FIPS 140-2 is recommended by the government. The Government of Canada recommends that Federal Departments purchase CMVP validated cryptographic modules.

  • Some non-governmental organizations and even other standards refer to FIPS 140-2 as a means of providing appropriate assurance for cryptographic modules. This includes a variety of topics from digital cinema specifications through voting system standards.

Common Terminology Mistakes

The algorithm is FIPS certified/validated"—Incorrect
While some algorithms are specified using a Federal Information Processing Standard (FIPS), some are specified through NIST Special Publications (SPs) and some through standards from other standards bodies such as ANSI and IEEE. So, in no case is there a "FIPS certification". The certification is performed by the CAVP.

"The algorithm is FIPS 140 certified/validated"—Incorrect
The FIPS 140 standard was withdrawn many years ago.

"The algorithm is FIPS 140-2 certified/validated"—Incorrect
It is the CAVP that perform the validations, certifications are issued by NIST.

"The algorithm is certified/validated by CAVP"—Correct
"The cryptographic module is FIPS certified/validated"—Incorrect
It is the CMVP that perform the validations, certifications are issued by NIST/CSE.

"The cryptographic module is FIPS 140-2 certified/validated by NIST/CSE"—Correct
"The cryptographic module is NIST certified"—Incorrect
Certifications are signed and issued by both NIST and CSE together, unless the module is an ITAR item, in which case the validation work is performed in the U.S. by NIST.

Common Misconceptions

CAVP certificates are the same as FIPS 140-2 certificates issued by the CMVP.
They are not. As explained above, CAVP certificates are applicable only to the cryptographic algorithms and supporting security functions specified in the Annexes of FIPS 140-2. The CMVP only issues certificates for a complete cryptographic module.

The CAVP can certify all the algorithms I designed into my product.
This is not true. The CAVP supports the CMVP with the validation of cryptographic functions specified in Annex A of FIPS 140-2. Note that the content of Annex A changes from time to time. These usually include cryptographic functions defined in other Federal Information Processing Standards (FIPS), NIST Special Publications (SPs), ANSI standards and ISO standards. Many of the cryptographic functions defined in Annex A also appear in the US algorithm suite B. Note that for some cryptographic functions automated tests have not been established and so alternative means of the CAVP approving them are used.

The NIAP requires FIPS 140-2 for conformance to Common Criteria.
The NIAP does not require FIPS 140-2 compliance for cryptographic modules included in a CC evaluation. Note, however, that by law (FISMA, 2002) the standard is applicable to all Federal Agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems. While the NIAP does not require FIPS 140-2 validation, it is necessary to have FIPS 140-2 validation for cryptographic modules used by Federal Agencies.

CAVP certificates are the same as a FIPS 140-2 validation.
The CAVP certifications establish only that the cryptographic functions are implemented correctly. FIPS 140-2 certification establishes that a cryptographic module uses cryptographic functions that are already certified by the CAVP, as well as meeting the specification for other attributes of a cryptographic module. These include some essential elements of the design and functionality of an entire cryptographic module including its operational environment, physical security, cryptographic key management, and self-tests.

A FIPS 140-2 certificate shows that a cryptographic module is secure.
This is not true. The security requirements specified in FIPS 140-2 are intended to maintain the security provided by a cryptographic module. However, conformance to FIPS 140-2 is not sufficient to ensure that a particular cryptographic module is secure.

OpenSSL is certified; therefore I do not need to repeat CAVP certification when I use an OpenSSL module for my Common Criteria work.
Both CAVP and CMVP certificates are very specific about the version number of the cryptographic module that has been validated along with the platform that the certification is relevant to. The certificates must match the exact version of the cryptographic module (e.g. OpenSSL) as well as the platform (e.g. OS and processors) in order for them to be valid in your use-case.

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.