by John Morris, president and co-founder of Corsec Security, Inc.
In our last article (SecureIDNews, August 2004) we covered what FIPS 140-2 and Common Criteria are at a high level. We introduced you to what these standards are, why we need them, who the players are, what the process is, as well as some of the common terms that you will need to know along the way. Now let’s delve into what’s actually involved in getting FIPS 140-2. In the next article, we’ll do the same for Common Criteria.
What is FIPS 140-2 again?
As we learned last time, FIPS 140-2 dictates that the cryptographic parts of a product are designed, documented, and can be operated in a secure manner to the government’s satisfaction. So FIPS 140-2 is a standard mandated for US federal government purchases, strictly enforced in Canada, and followed in various forms by many other governments worldwide. Widely adopted among financial institutions, the standard is becoming an international mark for cryptographic quality.
But who sets the rules and who measures results?
FIPS 140-2 is short for “Federal Information Processing Standards Publication.” The documents are published by the National Institutes of Standards and Technologies (NIST) in the US. In particular FIPS 140-2 was published by NIST with the cooperation of the Communications Security Establishment (CSE) in Canada. NIST and CSE created a joint effort called the Cryptographic Module Validation Program (CMVP) to specifically manage the FIPS 140-2 process.
What is the purpose of this program?
CMVP, issues validation certificates that let purchasers know if products (cryptographic modules) actually meet the FIPS 140-2 requirements. It is important to understand that this program focuses only on the parts of the product that utilize cryptography. These are the “cryptographic engines” that power the security in all types of products. It’s often difficult or impossible for an end consumer to lift the product’s hood and examine the cryptographic engine and ensure it truly works the way it is supposed to. Therefore, the CMVP program ensures that detailed testing an analysis is performed, and only those products that meet the claims are listed on the validation lists.
How does CMVP do this?
CMVP accredits independent labs (commercial companies) to run a specific set of tests and report to the government on the output of those tests. The body that accredits the testing labs is called the National Voluntary Laboratory Accreditation Program, or NVLAP. Initially NVLAP accredited three laboratories to ensure commercial competition (one of which I managed). However, as industry demand and international interest has grown, so to has the number of labs. Currently, CMVP oversees nine testing labs across the US, Canada, and United Kingdom.
How do the testing labs work?
Testing labs are independent, for-profit organizations, so they compete for the vendors’ business. They are all governed by the same sets of rules and regulations and hopefully produce the same end result in judging cryptographic engines. However, the process and procedures they use to achieve the results and how they evaluate documentation, design, and products vary. This is part of the reason that CMVP provides multiple laboratories to satisfy the needs of the competitive commercial marketplace, allowing vendors to compare laboratories on location, prices, responsiveness, resources, etc. But to ensure consistent quality testing the CMVP periodically monitors laboratory quality and prohibits testing labs from consulting on product design or creating documents for products they test. While laboratories can offer some guidance as to what the standard requires, they may not advise a vendor on how to relate that guidance to their specific product. There are separate consultants (such as my company, Corsec) that specialize in helping vendors in these areas.
Vendors complain FIPS 140-2 is too hard – is it necessarily?
A FIPS 140-2 validation entails significant effort for a vendor before, during and after the vendor chooses the lab. They must verify that their product design is compliant to the requirements in the standard. If not, then design changes will have to be made before the product goes through testing. Next, the vendor has to produce a large body of documentation that explains how the product meets cryptographic security requirements, how its design complies with them, and how it will behave in specific situations. The CMVP program requires very specific documents be submitted in particular formats. This means the vendors or their consultants must spend significant efforts producing documentation for FIPS 140-2 that they would not otherwise produce. Most vendors are not practiced in producing FIPS 140-2 Security Policies, Finite State Machines, or Vendor Evidence documents and may either spend more effort than laboratories require under FIPS 140-2, or include the wrong information. However, with the right focus in the documents, a vendor’s product can be quickly evaluated by a laboratory, and efforts significantly reduced.
The documents have been submitted, the testing has been done – so now what?
Once the commercial testing has been performed, the CMVP reviews the test report and Security Policy as part of their quality control. Assuming the vendor responds promptly and correctly to government questions, CMVP will sign a validation certificate for the tested version of the product, and post it on their web site. In the past, lack of staffing and funding, and sharp growth in FIPS 140-2 testing has caused delays in the government’s ability to process test reports – another source of vendor complaints. Although still woefully under-funded despite the recent focus on communications security, the CMVP has avoided the huge delays folks like INS have suffered, and continues to streamline the process.
What does this mean to the purchaser?
Government or Financial Services industry purchasers who are required to purchase only FIPS 140-2 validated products have begun using validated lists as shopping lists. They help narrow the playing field when comparing similar types of products. If one has been validated and another has not, the purchaser must choose the one with the FIPS 140-2 certificate.
Thus, the validated products lists show which products have proven they meet FIPS 140-2 requirements for cryptographic security. It tells you that qualified, independent cryptographic “mechanics” have looked under the hood of the product and ensured the engine is soundly designed, well implemented, and running smoothly. More and more, this assurance is becoming a basic requirement of purchasers inside and outside the government. Vendors have noted this, and the list of validated vendors reads like a who’s who of serious players in the market. These days, gaining a FIPS 140-2 validation also tells purchasers that a vendor is committed to security, as validations are typically far from cheap, fast, or easy.
Next month, we will cover the testing process for Common Criteria and how it relates to FIPS 140-2 validation. In the meantime, you can read more about FIPS 140-2 requirements at www.corsec.com/fips_center.php, or contact me at jmorris at Corsec dot com.
About the author
John Morris is president and co-founder of Corsec Security, which offers consulting services for Common Criteria and FIPS 140-2 product validations. Mr. Morris is the former manager of a NVLAP-accredited testing laboratory, and has worked for the last decade in cryptography, public key infrastructure and security engineering with a focus on government security validations. You can read a Q/A by Mr. Morris in Corsec’s monthly e-newsletter by visiting www.corsec.com/news.php. Questions can be submitted to [email protected].
Research and evaluate FIPS 201 Approved Products and get the latest info on compliant credentialing systems at FIPS201.com. Click to visit FIPS201.com.