Commercial Assurance of Cryptography in North America

Cryptographic Algorithm Validations

The Cryptographic Algorithm Validation Program (CAVP) is anorganization that is managed solely by the National Institute ofStandards and Technology (NIST). Information about the CAVP scheme,including the official validation lists, can be found at NIST's web page for theCAVP.

The CAVP certifies that certain algorithms and related securityfunctions are implemented correctly through testing supervised byaccredited testing laboratories using test vectors. This testingsupports verification of the correctness of the algorithmimplementation.

The CAVP was instigated to provide assurance that cryptographicalgorithms are implemented correctly in cryptographic modules. NISTstatistics have indicated that close to 26% of algorithms testedshowed errors in implementation that were corrected as a result ofthe testing process.

In addition to satisfying NIST requirements, the assurance given byCAVP certification is widely used by other assurance programs andin some industries. The following are examples.

 

· TheCryptographic Module Validation Program (CMVP), specifies thatcertificates, issued by the CAVP, for the Approved SecurityFunctions are provided as a pre-requisite for the FederalInformation Processing Standard (FIPS) 140-2 validation.

Note that the CAVP and the CMVP are closely linked but are formallyindependent of each other.

· The NationalInformation Assurance Partnership (NIAP) specifies thatcertificates, issued by the CAVP must be provided for all NISTapproved security functions specified in their Approved ProtectionProfiles for Common Criteria evaluation.

Note that the NIAP Scheme Policy#5 for this topic also allows CMVP validation. Thispolicy is supplemented with an FAQ. As notedabove a CMVP validation against FIPS 140-2 will assure that theCryptographic Alogorithm Validation System (CAVS) certificates arealready in place.

· The financial industryfrequently specifies that CAVP certificates are provided todemonstrate assurance of implementation correctness.

· The 2005 Voting Systemstandards also recommends using CMVP validation (and hence theprovision of CAVP certificates.)

Forward-looking vendors are turning to the CAVP certificationscheme to provide assurance to an audience demanding assurance thatalgorithm implementations have been implemented correctly. Costsand the time needed to obtain CAVP certification are relativelysmall compared to certifications such as Common Criteria and FIPS140-2.

It should be pointed out that CAVP certification does not by itselfprovide any assurance that the algorithm itself is sound. It does,however, provide assurance that the chosen algorithm wasimplemented correctly.

 

Cryptographic Module Validations

The CMVP is a joint program between NIST and the CanadianSecurity Establishment (CSE). This organization provides avalidation and certification program for conformance claims to FIPS140-2 a specification for Security Requirements for CryptographicModules.

Validated cryptographic modules are specified or accepted by avariety of organizations, including the following.

· Cryptographic Modulesvalidated as conforming to FIPS 140-1 and FIPS 140-2 are mandated,by law, to the Federal Agencies in the USA for the protection ofsensitive information.

"If a government agency specifies that the information or data becryptographically protected, then FIPS 140-2 is applicable. Inessence, if cryptography is required, then it must bevalidated."

The CMVP is responsible for validating cryptographic modules.

· For National SecuritySystems, the DoD or CIA rather than NIST lead the way, with thefollowing legislation and policies currently applicable.

· The Committee onNational Security Systems Policy (CNSSP)-11, thenational policy governing the acquisition of information assurance(IA) and IA-enabled information technology products is applicableto all U.S. National Security Systems used by or on behalf of U.S.Government Departments and Agencies establishes the NIAP, which inturn has issued NIAP Scheme Policy#5 requiring CAVP validation and ideally CMVPvalidation. This policy is supplemented with an FAQ.

· The Federal InformationSecurity Management Act (FISMA) 2002 removed awaiver for FIPS 140-2 validation that was in place as FIPS 140-2became widely adopted.

· In Canada, FIPS 140-2is recommended by the government. The Government of Canadarecommends that Federal Departments purchase CMVP validatedcryptographic modules.

· Some non-governmentalorganizations and even other standards refer to FIPS 140-2 as ameans of providing appropriate assurance for cryptographic modules.This includes a variety of topics from digital cinemaspecifications through voting system standards.

Common Terminology Mistakes

The algorithm is FIPScertified/validated"—Incorrect
While some algorithmsare specified using a Federal Information Processing Standard(FIPS), some are specified through NIST Special Publications (SPs)and some through standards from other standards bodies such as ANSIand IEEE. So, in no case is there a "FIPS certification". Thecertification is performed by the CAVP.

"The algorithm is FIPS 140certified/validated"—Incorrect
The FIPS 140 standard was withdrawn many years ago.

"The algorithm is FIPS 140-2certified/validated"—Incorrect
It is the CAVP that perform the validations, certifications areissued by NIST.

"The algorithm is certified/validated byCAVP"—Correct
"The cryptographic module is FIPScertified/validated"—Incorrect
It is the CMVP that perform the validations, certifications areissued by NIST/CSE.

"The cryptographic module is FIPS 140-2certified/validated by NIST/CSE"—Correct
"The cryptographic module is NISTcertified"—Incorrect
Certifications are signed and issued by both NIST and CSE together,unless the module is an ITAR item, in which case the validationwork is performed in the U.S. by NIST.

Common Misconceptions

CAVP certificates are the same as FIPS 140-2certificates issued by the CMVP.
They are not. Asexplained above, CAVP certificates are applicable only to thecryptographic algorithms and supporting security functionsspecified in the Annexes of FIPS 140-2. The CMVP only issuescertificates for a complete cryptographic module.

The CAVP can certify all the algorithms I designed into myproduct.
This is not true. The CAVP supports the CMVP with the validation ofcryptographic functions specified in Annex A of FIPS 140-2. Notethat the content of Annex A changes from time to time. Theseusually include cryptographic functions defined in other FederalInformation Processing Standards (FIPS), NIST Special Publications(SPs), ANSI standards and ISO standards. Many of the cryptographicfunctions defined in Annex A also appear in the US algorithm suiteB. Note that for some cryptographic functions automated tests havenot been established and so alternative means of the CAVP approvingthem are used.

The NIAP requires FIPS 140-2 for conformance to CommonCriteria.
The NIAP does not require FIPS 140-2 compliance for cryptographicmodules included in a CC evaluation. Note, however, that by law(FISMA, 2002) the standard is applicable to all Federal Agenciesthat use cryptographic-based security systems to protect sensitiveinformation in computer and telecommunication systems. While theNIAP does not require FIPS 140-2 validation, it is necessary tohave FIPS 140-2 validation for cryptographic modules used byFederal Agencies.

CAVP certificates are the same as a FIPS 140-2validation.
The CAVP certifications establish only that the cryptographicfunctions are implemented correctly. FIPS 140-2 certificationestablishes that a cryptographic module uses cryptographicfunctions that are already certified by the CAVP, as well asmeeting the specification for other attributes of a cryptographicmodule. These include some essential elements of the design andfunctionality of an entire cryptographic module including itsoperational environment, physical security, cryptographic keymanagement, and self-tests.

A FIPS 140-2 certificate shows that a cryptographic moduleis secure.
This is not true. The security requirements specified in FIPS 140-2are intended to maintain the security provided by a cryptographicmodule. However, conformance to FIPS 140-2 is not sufficient toensure that a particular cryptographic module is secure.

OpenSSL is certified; therefore I do not need to repeatCAVP certification when I use an OpenSSL module for my CommonCriteria work.
Both CAVP and CMVP certificates are very specific about the versionnumber of the cryptographic module that has been validated alongwith the platform that the certification is relevant to. Thecertificates must match the exact version of the cryptographicmodule (e.g. OpenSSL) as well as the platform (e.g. OS andprocessors) in order for them to be valid in your use-case.