FIPS2009

From MozillaWiki
Jump to: navigation, search

NSS FIPS 140 2009 validation

Softoken is a component of NSS, and has a separate version number. The version of softoken FIPS validated in 2009 is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available here.

April 2010 NSS Softoken has finished its validation NSS Certs.

The next NSS FIPS validation info is available at FIPS_Validation.

Platforms for 2009/2010

  • Level 1
    • Windows XP Service Pack 2
    • Mac OS X 10.5
  • Level 2
    • RHEL 5 x86 32 bit
    • RHEL 5 x86 64 bit
    • Solaris 10 64-bit SPARC v9
    • Solaris 10 32-bit SPARC v8+
    • Solaris 10 32-bit x86
    • Solaris 10 64-bit x86_64

Algorithms

Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.

Algorithms Key Size Modes Certificates
TripleDES KO 1,2,3 (56,112,168)

TECB(e/d; KO 1,2,3)
TCBC(e/d; KO 1,2,3)

#822 NSS Extended ECC Build
#823 NSS Basic ECC Build
#821 NSS No ECC Build

AES 128/192/256

ECB(e/d; 128,192,256)
CBC(e/d; 128,192,256)

#1127 NSS Extended ECC Build
#1128 NSS Basic ECC Build
#1126 NSS No ECC Build

SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512)

SHS

SHA-1 (BYTE-only)
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)

N/A

#1049 NSS Extended ECC Build
#1050 NSS Basic ECC Build
#1048 NSS No ECC Build

HMAC

HMAC-SHA1, HMAC-SHA256,
HMAC-SHA384, HMAC-SHA512

KeySize < BlockSize,
KeySize = BlockSize,
KeySize > BlockSize

#637 NSS Extended ECC Build
#638 NSS Basic ECC Build
#636 NSS No ECC Build

DRBG N/A

Hash_DRBG of NIST SP 800-90

#17 NSS Extended ECC Build
#18 NSS Basic ECC Build
#16 NSS No ECC Build

DSA 512-1024

PQG(gen)MOD(1024);
PQG(ver)MOD(1024);
KEYGEN(Y)MOD(1024);
SIG(gen)MOD(1024);
SIG(ver)MOD(1024);

#367 NSS Extended ECC Build
#368 NSS Basic ECC Build
#366 NSS No ECC Build

RSA 1024-8192

ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver);

#534 NSS Extended ECC Build
#535 NSS Basic ECC Build
#533 NSS No ECC Build

ECDSA

(Extended ECC)

163-571

PKG: CURVES( ALL-P ALL-K ALL-B );
PKV: CURVES( ALL-P ALL-K ALL-B );
SIG(gen): CURVES( ALL-P ALL-K ALL-B );
SIG(ver): CURVES( ALL-P ALL-K ALL-B );

#132 NSS Extended ECC Build

ECDSA

(Basic ECC)

256-521

PKG: CURVES( ALL-P P-256 P-384 P-521 );
PKV: CURVES( ALL-P P-256 P-384 P-521 );
SIG(gen): CURVES( ALL-P P-256 P-384 P-521 );
SIG(ver): CURVES( P-256 P-384 P-521 );

#133 NSS Basic ECC Build

Dependant Bugs

Bug Description Completed

Testing Lab

Atlan Labs

FIPS 140 Information

NIST Cryptographic Module Validation Program

NIST Crypto Toolkit

NSS FIPS 140-2 Validation Docs

NSS FIPS 140-2 Validation Docs

FIPS 140-2 Derived Test Requirements (DTR)

FIPS 140-2 Derived Test Requirements (DTR)

Vendor Information

NSS is actively supported and maintained by the following corporations:

Sun Microsystems, Inc.: http://www.sun.com/contact/

Red Hat, Inc.: http://www.redhat.com/about/contact/

Mozilla Foundation, Inc.: http://www.mozilla.org/contact/


Schedule

Milestone Item Deps Time Who Completed
M1 Initial Setup
1a Choose validation Lab, approve costs, and sign NDA all all Atlan
1d Define Algorithms, Key Sizes and modes
M2 Complete NSS 3.12 FIPS dependant bugs
M3 Update documentation (numbers in parentheses refer to sections in FIPS documentation)
3a. (1.0) Security policy, new algorithms 1d 2 wks all
3b. Generate annotated source tree (LXR -> HTML) M2
3c. (2.0) Finite State Machine 3b 3 wks
3d. (3.0/4.0) Cryptographic Module Definition 3b 2 wks
3e. (6.0) Software Security (rules-to-code map) 3b 2 wks
3f. (8.0) Key Management Generate 20K random #'s 1 day
3g. (9.0) Cryptographic Algs 3a 3 days
3h. (10.0) Operational Test Plan 1 day
3i. Document architectural changes between 3.2 and 3.11 5 days
M4 Send docs to testing lab
4a. Security Policy all
4b. Finite State Machine 3c
4c. Module Def. / rules-to-code 3d,3e
M5 Operational validation
5a. Algorithm testing 1 month
5b. Operational testing 3h 1 week
5c set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them)
M6 Internal QA of docs M2-M5 1 week all
M7 Communication between NSS team / Lab / NIST about status of validation / algorithm certificates M1-5 3-6 mos all