Monday, September 30, 2013

A summary of the first ICMC:

The first ICMC is over.

It was a wonderful event and thanks are due to all of the 171 participants for making it so.
Participant Quote: "This conference is Win Win Win!"

These attendees represented developers, governments, laboratories, consultants,  and academics from the cryptographic module community.

ICMC 2013 sponsors
It turned out to be a truly international affair with people from organizations based in eighteen countries: Australia, Belgium, Brazil, Canada, China, Finland, France, Germany, Japan, Netherlands, Singapore, South Korea, Spain, Sweden, Switzerland, Taiwan, the U.K., and the United States of America.

Thanks are also due to the sponsors. A first conference is always a risk, and it would have been hard to make the conference a success without them.  

Thanks to Bill and Nikki from CNXTD who planned and supported us; arranging the hotel, providing registrations, communications, last minute schedule patches and the management of all those things that security experts are often bad at. CNXTD focus on planning conferences in the security field and have immense experience that showed!

About the conference

We already posted short summaries of each of the days including some of the photographs that we took.

Monday was the CMVP and accredited laboratories meeting. Many of us heard how much hard work that was, especially since they usually take at least three days to cover all of their business. This is a private meeting and as you might expect there are no public slides or links.

Tuesday was for workshops: These were very well attended, and my big surprise was how popular Steve Weingart's, "An introduction to FIPS 140-2" was. I had my doubts since almost everyone who signed up for the conference was an expert in the field. Silly me! Almost everyone I spoke to that had attended said they still learned something new! The quality of the other workshops on more specialised areas (physical security, side channel analysis and testing, and mobile security) were of a very high standard and provided excellent opportunities to learn more on these topics.

Wednesday and Thursday included the keynotes, policy/program related and technical  presentations and plenty of coffee breaks.

As the conference progressed we began to see some themes and memes emerge:

Credibility and Trust
Charles H. Romine

Although cryptographic modules are very important to security in government, critical infrastructure and commercial sectors, it is rare that anything to do with cryptographic modules and the validations of their conformance to standards become the subject of public and political attention. Usually this topic is reserved for the "boffins" i.e., it is a very technical topic only well understood and discussed by the policy and technical experts. For many end users the assurance they rely upon is based on the trust and credibility they hold in those specifying the assurance case on their behalf. In the U.S. that is NIST and the CMVP. For many years this has not been doubted in the slightest.


In the weeks leading up to the conference this topic was headline news, not just within our small community, but it was discussed in the popular media around the world. Not just fame, but infamy. Oh my....

This truly vital topic was addressed by Charles H. Romine, Director of the Information Technology Laboratory at NIST who was a keynote speaker for ICMC. It is clear that NIST take this subject very seriously indeed and are taking appropriate action. Dr. Bertand du Castel also talked about trust from a non-governmental perspective.

The delays to the update of FIPS 140-2, and the length of time that developers must wait to be listed as conformant with the standard ("The Queue" is currently measured at several months) are also affecting the credibility of NIST. The conference participants asked that NIST listen to the community and take appropriate action on these topics too.  

The future of the FIPS specifications, ISO

FIPS 140-3 was bound to be a discussion topic. We heard, as we expected, that FIPS 140-3 is moribund. This has brought problems which are getting worse with time, not better. As technology moves on, and the pace of change increases, with no real update to the specification for a decade, FIPS 140-2 is creaking badly. To deal with this, the CMVP must issue Implementation Guidance (I.G.), which is now so complex that it is virtually impossible to understand all the nuances. We saw several presentations on the topic of several notorious implementation guidances, and even some more formal logical analysis of the I.G. themselves. My goodness, what have we created?...

We heard a lot of discussion and grievances in relation to this topic and we realised that at least part of the reason for the length of the queue is related to the I.G.:  Its (sometimes) retroactive applicability; its complexity; incomplete understanding and inconsistent application of the policies by validators, testers and developers.

There is some light at the end of the tunnel. We heard a lot about the ISO standards and supporting documents for cryptographic modules. How they have been developed by experts, and are now publishing the second revision, representing more recent technical improvements that have "leap-frogged" the FIPS specifications. We heard from several programs that are already using the standards in formal programs. including Japan, South Korea, Spain and Turkey. We heard of the iCMVP that is a memorandum of understanding between Japan and NIST in regard to the framework for accepting work done under each program. This may be a simplistic start when we look at the CC Recognition Arrangement, but it could, in time, grow to include other nations...

All we have to do is convince NIST and CSEC to adopt the ISO standards as national standards, and manage the transition.

The Queue

The length of "The Queue" was discussed during several sessions. This subject was at the front of everyone's minds as the CMVP, with limited resource, struggle to keep up with the number of validations, laboratory assessments, policy writing, as well as other assigned duties.

The current length of The Queue means that it can take developers many months to get their modules validated and hence available for procurement from federal agencies. In an increasing number of cases, products are obsolete or un-supported by the time the validation is finally documented. We heard how  the unpredictability of The Queue is a problem too, since it greatly affects  how developers can perform their marketing, sales and project planning.

We heard a lot more detail about the resource constraints under which the CMVP must operate, and by the end of the conference I believe everyone had a better understanding of why, and we even had some ideas on how to address this problem. These ranged from increased fees for service which would allow NIST to have more resources, sub-contracting validators to the NIST team, allowing labs and developers to work on appropriate topics that would make validation of the test reports easier  and more efficient, and discussion of the internal CMVP review process.


Captain Entropy:
conceived at the first ICMC

Another "hot" topic was entropy. We heard several papers related to entropy, including the philosophical,the mathematical and the practical. Earnest discussion of the subject  was continued throughout the evening by representatives of several of the accredited laboratories, which finally resulted in the conception of "Captain Entropy." We share the vision with you and hope that you can forgive both poor artistic skills and our making light of what really is a serious subject.

What's next?

During the final wrap up session we had a clear mandate from the participants to continue the ICMC conference next year, and also to champion the establishment of a "user group." The user group will seek active participation from all the stakeholders for the development, testing and validation of cryptographic modules. 

So please do not think it is all over for a year. This was the beginning and we have work to do together during the remainder of this year and in 2014.

atsec will continue to facilitate this, but we will be seeking active participation from all the stakeholder groups. We envisage something similar to the CC User's Forum and will initially use both the mailing list for ICMC 2013, the ICMC 2013 and FIPS 140-2 related LinkedIn groups to communicate how this will happen. Please help us spread the word.

Fiona Pattinson


  1. Do you have a date in mind for the next one? Would this one be in Canada?

  2. Josh, It's looking very much like November 2014, in the DC area (again).
    The various user groups that we agreed to initiate are in progress. This includes a project for the next ICMC, a group for CMVP accredited labs and other crypto-module related areas at


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.