Under the hood of FIPS 140-2 Validations

[R. A. Hettinga]

<http://www.cr80news.com/library/2004/09/26/under-the-hood-of-fips-1402-validations/>

 : CR80 News

Under the hood of FIPS 140-2 Validations
Sunday, September 26 2004

by John Morris, president and co-founder of Corsec Security, Inc.

In our last article (SecureIDNews, August 2004) we covered what FIPS 140-2
and Common Criteria are at a high level. We introduced you to what these
standards are, why we need them, who the players are, what the process is,
as well as some of the common terms that you will need to know along the
way. Now let's delve into what's actually involved in getting FIPS 140-2.
In the next article, we'll do the same for Common Criteria.



What is FIPS 140-2 again?

As we learned last time, FIPS 140-2 dictates that the cryptographic parts
of a product are designed, documented, and can be operated in a secure
manner to the government's satisfaction. So FIPS 140-2 is a standard
mandated for US federal government purchases, strictly enforced in Canada,
and followed in various forms by many other governments worldwide. Widely
adopted among financial institutions, the standard is becoming an
international mark for cryptographic quality.

But who sets the rules and who measures results?

 FIPS 140-2 is short for "Federal Information Processing Standards
Publication." The documents are published by the National Institutes of
Standards and Technologies (NIST) in the US. In particular FIPS 140-2 was
published by NIST with the cooperation of the Communications Security
Establishment (CSE) in Canada. NIST and CSE created a joint effort called
the Cryptographic Module Validation Program (CMVP) to specifically manage
the FIPS 140-2 process.

What is the purpose of this program?

CMVP, issues validation certificates that let purchasers know if products
(cryptographic modules) actually meet the FIPS 140-2 requirements. It is
important to understand that this program focuses only on the parts of the
product that utilize cryptography. These are the "cryptographic engines"
that power the security in all types of products. It's often difficult or
impossible for an end consumer to lift the product's hood and examine the
cryptographic engine and ensure it truly works the way it is supposed to.
Therefore, the CMVP program ensures that detailed testing an analysis is
performed, and only those products that meet the claims are listed on the
validation lists.

How does CMVP do this?

 CMVP accredits independent labs (commercial companies) to run a specific
set of tests and report to the government on the output of those tests. The
body that accredits the testing labs is called the National Voluntary
Laboratory Accreditation Program, or NVLAP. Initially NVLAP accredited
three laboratories to ensure commercial competition (one of which I
managed). However, as industry demand and international interest has grown,
so to has the number of labs. Currently, CMVP oversees nine testing labs
across the US, Canada, and United Kingdom.

How do the testing labs work?

 Testing labs are independent, for-profit organizations, so they compete
for the vendors' business. They are all governed by the same sets of rules
and regulations and hopefully produce the same end result in judging
cryptographic engines. However, the process and procedures they use to
achieve the results and how they evaluate documentation, design, and
products vary. This is part of the reason that CMVP provides multiple
laboratories to satisfy the needs of the competitive commercial
marketplace, allowing vendors to compare laboratories on location, prices,
responsiveness, resources, etc. But to ensure consistent quality testing
the CMVP periodically monitors laboratory quality and prohibits testing
labs from consulting on product design or creating documents for products
they test. While laboratories can offer some guidance as to what the
standard requires, they may not advise a vendor on how to relate that
guidance to their specific product. There are separate consultants (such as
my company, Corsec) that specialize in helping vendors in these areas.

Vendors complain FIPS 140-2 is too hard - is it necessarily?

A FIPS 140-2 validation entails significant effort for a vendor before,
during and after the vendor chooses the lab. They must verify that their
product design is compliant to the requirements in the standard. If not,
then design changes will have to be made before the product goes through
testing. Next, the vendor has to produce a large body of documentation that
explains how the product meets cryptographic security requirements, how its
design complies with them, and how it will behave in specific situations.
The CMVP program requires very specific documents be submitted in
particular formats. This means the vendors or their consultants must spend
significant efforts producing documentation for FIPS 140-2 that they would
not otherwise produce. Most vendors are not practiced in producing FIPS
140-2 Security Policies, Finite State Machines, or Vendor Evidence
documents and may either spend more effort than laboratories require under
FIPS 140-2, or include the wrong information. However, with the right focus
in the documents, a vendor's product can be quickly evaluated by a
laboratory, and efforts significantly reduced.

The documents have been submitted, the testing has been done - so now what?

Once the commercial testing has been performed, the CMVP reviews the test
report and Security Policy as part of their quality control. Assuming the
vendor responds promptly and correctly to government questions, CMVP will
sign a validation certificate for the tested version of the product, and
post it on their web site. In the past, lack of staffing and funding, and
sharp growth in FIPS 140-2 testing has caused delays in the government's
ability to process test reports - another source of vendor complaints.
Although still woefully under-funded despite the recent focus on
communications security, the CMVP has avoided the huge delays folks like
INS have suffered, and continues to streamline the process.

 What does this mean to the purchaser?

Government or Financial Services industry purchasers who are required to
purchase only FIPS 140-2 validated products have begun using validated
lists as shopping lists. They help narrow the playing field when comparing
similar types of products. If one has been validated and another has not,
the purchaser must choose the one with the FIPS 140-2 certificate.

Thus, the validated products lists show which products have proven they
meet FIPS 140-2 requirements for cryptographic security. It tells you that
qualified, independent cryptographic "mechanics" have looked under the hood
of the product and ensured the engine is soundly designed, well
implemented, and running smoothly. More and more, this assurance is
becoming a basic requirement of purchasers inside and outside the
government. Vendors have noted this, and the list of validated vendors
reads like a who's who of serious players in the market. These days,
gaining a FIPS 140-2 validation also tells purchasers that a vendor is
committed to security, as validations are typically far from cheap, fast,
or easy.

Next month, we will cover the testing process for Common Criteria and how
it relates to FIPS 140-2 validation. In the meantime, you can read more
about FIPS 140-2 requirements at  www.corsec.com/fips_center.php, or
contact me at jmorris at Corsec dot com.



About the author

John Morris is president and co-founder of Corsec Security, which offers
consulting services for Common Criteria and FIPS 140-2 product validations.
Mr. Morris is the former manager of a NVLAP-accredited testing laboratory,
and has worked for the last decade in cryptography, public key
infrastructure and security engineering with a focus on government security
validations. You can read a Q/A by Mr. Morris in Corsec's monthly
e-newsletter by visiting www.corsec.com/news.php. Questions can be
submitted to info at corsec.com.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com