2

I am going for a FIPS 140-2 validation process of my software module. I have studied the relevant material but I am still not clear of one thing that can I use third party FIPS validated approved algorithms in my to be fips validated module? or Do i need to write my own implementation of approved algorithms and get them approved from NIST first?

I am confused because; in Fips validation module list, most of the companies have their own validated algorithms in their fips validated module which gives me impression that one has to get the validation of his own algorithm implementation first and then use it in to be validated crypto module. Is this right?

Any help would be appreciated.

awatan
  • 1,182
  • 15
  • 33

1 Answers1

0

The FIPS certification lab doesn't care where the algorithm came from, only that your implementation conforms to the FIPS 140-2 standard. If your implementation conforms, then you get a certificate for it.

For example, if you look at the AES certification list, you'll see that many people use OpenSSL's AES implementation. Hardware implementations likely use an encryption core from a vendor rather than each organization re-implementing AES in hardware.

What you do have to do though is make the third-party implementation conform to the FIPS 140-2 standard. So you may have to write power-on self tests and continuous self tests and so on. You may even have to fix bugs in the implementation to make it pass the certification tests. For example, OpenSSL's RSA implementation up to 0.9.7j/0.9.8b (from 2006) is vulnerable to the Bleichenbacher RSA forgery attack, so if you were using that old RSA implementation, you'd have to fix it.

To be clear, your third-party implementation does not have to have been previously FIPS certified. Your certification lab will test it as part of your implementation and certify it then.

indiv
  • 17,306
  • 6
  • 61
  • 82
  • So for example, If I use openSSL's FIPS validated AES implementation in my module, then I will get a separate a certificate for that implementation? Is that so? – awatan Nov 24 '11 at 07:24
  • Yes that is right. You will get a certificate for every algorithm in your module regardless of where it came from. – indiv Nov 25 '11 at 04:06
  • Thanks. "Muchas Gracias" as they say. :) – awatan Nov 25 '11 at 10:43
  • Sorry to pop you after so many days. I just want to ask whether I can submit only Algorithms to NIST accredited lab to get validation certificate for particular algorithms? Do algorithms hold separate identity or must they be embedded in some crypto module to get validation certificate? – awatan Dec 15 '11 at 09:51
  • 1
    It's all part of the FIPS 140-2 validation process for modules. Algorithm validation is just one step of the process. If the algorithm is not in a FIPS-validated module, it "is viewed by NIST as providing no protection to the information or data - in effect the data would be considered unprotected plaintext." (http://csrc.nist.gov/groups/STM/cmvp/index.html) – indiv Dec 15 '11 at 15:23