Blbs tn-bloombase-cryptographic-module-nist-fips-140-2-certification-uslet-en-r2


Published on

Published in: Software
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Blbs tn-bloombase-cryptographic-module-nist-fips-140-2-certification-uslet-en-r2

  1. 1. Bloombase Cryptographic Module National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 Certification This Technical White Paper provides background information of NIST FIPS 140-2 certification, and how Bloombase Cryptographic Module has achieved FIPS 140-2 validation, which powers the foundation of Bloombase defense-in-depth security products and what it means to customers.
  2. 2. This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Bloombase. Bloombase may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Bloombase, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. This document is the property of Bloombase. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement with Bloombase, and neither the document nor any such information may be released without the written consent of Bloombase. © 2010 Bloombase, Inc. All rights reserved. Bloombase and its affiliates cannot be responsible for errors or omissions in typography or photography. Bloombase, Spitfire, StoreSafe are either registered trademarks or trademarks of Bloombase, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Document No.: BLBS-TN-Bloombase-Cryptographic-Module-NIST-FIPS-140-2-Certification-USLET-EN-R2
  3. 3. Table of Contents Table of Contents 3 Executive Summary 4 Validation Testing and Requirements 4 Cryptographic Module Validation Program (CMVP) 4 Bloombase CMVP Validated Cryptographic Module 5 Cryptographic Algorithm Validation Program (CAVP) 6 Bloombase CAVP Validated Cryptographic Cipher Algorithms 6 Conclusion 8 To Learn More 9
  4. 4. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 4 Executive Summary NIST FIPS 140-2 is one of many cryptographic standards maintained by the Computer Security division of NIST, the US National Institute for Standards and Technology. NIST of the United States of America, in conjunction with the Canadian Communications Security Establishment (CSE) operates the Crypto Module Validation Program (CMVP), through which security products are validated. In addition, the Cryptographic Algorithm Validation Program (CAVP) encompasses validation testing for FIPS approved and NIST recommended cryptographic algorithms and components of algorithms. Cryptographic algorithm validation is a prerequisite to the Cryptographic Module Validation Program (CMVP). Again, the CAVP was established by NIST and the Communications Security Establishment (CSE). Validation Testing and Requirements NVLAP accredited Cryptographic and Security Testing (CST) laboratories perform validation testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules. Cryptographic module validation testing is performed using the Derived Test Requirements for FIPS PUB 140-2 document. The document lists all of the vendor and tester requirements for validating a cryptographic module, and provides the basis of testing performed by the CST accredited laboratories. Leidos, Inc., formerly Science Applications International Corporation (SAIC), was appointed by Bloombase to perform testing and validation for both CMVP and CAVP. Cryptographic Module Validation Program (CMVP) Prior to May 25, 2002, commercial cryptographic modules were validated for conformance to the FIPS 140-1, Security Requirements for Cryptographic Modules. Effective May 26, 2002, this standard was superseded by the FIPS 140-2, Security Requirements for Cryptographic Modules. However, Agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002. The FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting protected information. The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3 and Level 4. These levels are intended to cover the wide range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover 11 areas related to the secure design and implementation of a cryptographic module. These areas include:
  5. 5. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 5  Cryptographic module specification  Module ports and interfaces  Roles, services and authentication  Finite state model  Physical security  Cryptographic key management  Electromagnetic interference/electromagnetic compatibility (EMI/EMC)  Self-tests  Design assurance  Mitigation of other attacks  Operational environment A FIPS 140-2 validation certificate is issued for each validated module. An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address). Bloombase CMVP Validated Cryptographic Module Bloombase develops cryptographic products and subsystems which conform to the FIPS 140-2 standard. The following have been validated under the CVMP as meeting the FIPS 140-2 version of the standard:  Cryptographic module specification: Level 1  Module ports and interfaces: Level 1  Roles, services and authentication: Level 1  Finite state model: Level 1
  6. 6. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 6  Physical security: N/A  Cryptographic key management: Level 1  Electromagnetic interference/electromagnetic compatibility (EMI/EMC): Level 1  Self-tests: Level 1  Design assurance: Level 1  Mitigation of other attacks: N/A  Operational environment: Level 1 Bloombase Cryptographic Module has been tested and validated with built-in security hardened Bloombase OS (formerly Spitfire OS) operating system. Overall, Bloombase Cryptographic Module achieved Level 1 for FIPS 140-2 certification. Cryptographic Algorithm Validation Program (CAVP) NIST certifies a list of industry standard cryptographic algorithms in its Cryptographic Algorithm Validation Program (CAVP) including:  RSA/Digital Signature Standard (DSS): FIPS 186-2 and 186-3  Advanced Encryption Standard (AES): FIPS 197  Keyed-Hash Message Authentication Code (HMAC): FIPS 198  Secure Hash Algorithm Validation System (SHAVS): FIPS 180-3  Random Number Generator Validation System (RNGVS): FIPS 186-2 Bloombase CAVP Validated Cryptographic Cipher Algorithms Bloombase Cryptographic Module supports a wide range of encryption cipher algorithms to support the diverse information security needs with organizational customers in their day-to-day business:  RSA  AES
  7. 7. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 7  XTS-AES  3DES  DES  Blowfish  Twofish  RC2  RC4  RC5  RC6  CAST5  CAST6  IDEA  Serpent  Skipjack  Camellia  SEED  ARIA  SM1 along with a number of one-way hash/digest algorithms  SHA-1  SHA-2  MD5  SM3
  8. 8. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 8 Bloombase Cryptographic Module supports and has achieved the following CAVP certifications for its FIPS supported cipher algorithms:  RSA: o ANSI X9.31 (MOD: 2048, 3072, 4096) o RSASSA-PKCS1_V1_5: (SIG: 2048, 3072, 4096 withSHS: SHA-256, SHA-384, SHA-512; SIG: 1024, 1536, 2048, 3072, 4096 with SHS: SHA-1, SHA-256, SHA-384, SHA-512)  AES: o ECB (e/d; 128, 192, 256) o CBC (e/d; 128, 192, 256) o CFB8 (e/d; 128, 192, 256)  HMAC: o HMAC-SHA1 o HMAC-SHA256 o HMAC-SHA384 o HMAC-SHA512  SHAVS: o SHA-1 o SHA-256 o SHA-384 o SHA-512  RNGVS: o ANSI X9.31 (AES-128Key, AES-192Key, AES-256Key) Conclusion
  9. 9. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 9 Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. NIST FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module. FIPS 140-2 defines the baseline requirements and assessment of an encryption product which provides support to customers when selecting a product to fulfill their security needs. In specific, federal government agencies and departments require a product to be FIPS 140-2 certified as a basic requirement for procurement. Bloombase Cryptographic Module is the core building block of Bloombase information security products delivering unprecedented strong security encryption services at turnkey application-transparent operation. The CMVP-certified Bloombase Cryptographic Module with purpose-built CAVP-certified cryptographic algorithms enables organizational customers to meet stringent security regulatory compliance requirements easily and cost-effectively. Finally, Bloombase products currently undergoing FIPS 140-2 validation, if any, can be viewed at To Learn More 1. Computer Security division of NIST, 2. Cryptographic Module Validation Program (CMVP), 3. Cryptographic Algorithm Validation Program (CAVP), 4. Leidos, Inc., 5. SAIC, 6. FIPS 186-2, 186-3, 7. FIPS 197, 8. FIPS 198, 9. SHAVS, 10. RNGVS, 11. Bloombase Cryptographic Module CMVP FIPS 140-2 validation, 12. Bloombase Cryptographic Module FIPS 140-2 certificate,
  10. 10. Bloombase Cryptographic Module NIST FIPS 140-2 Certification 10 13. Bloombase Cryptographic Module FIPS 140-2 validation security policy, 14. Bloombase Cryptographic Module CAVP for RSA, 15. Bloombase Cryptographic Module CAVP for AES, 16. Bloombase Cryptographic Module CAVP for HMAC, 17. Bloombase Cryptographic Module CAVP for SHA, 18. Bloombase Cryptographic Module CAVP for RNG,