FIPS2009
Contents
NSS FIPS 140 2009 validation
Softoken is a component of NSS, and has a separate version number. The version of softoken FIPS validated in 2009 is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available here.
April 2010 NSS Softoken has finished its validation NSS Certs.
The next NSS FIPS validation info is available at FIPS_Validation.
Platforms for 2009/2010
- Level 1
- Windows XP Service Pack 2
- Mac OS X 10.5
- Level 2
- RHEL 5 x86 32 bit
- RHEL 5 x86 64 bit
- Solaris 10 64-bit SPARC v9
- Solaris 10 32-bit SPARC v8+
- Solaris 10 32-bit x86
- Solaris 10 64-bit x86_64
Algorithms
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.
| Algorithms | Key Size | Modes | Certificates |
|---|---|---|---|
| TripleDES | KO 1,2,3 (56,112,168) |
TECB(e/d; KO 1,2,3) |
#822 NSS Extended ECC Build |
| AES | 128/192/256 |
ECB(e/d; 128,192,256) |
#1127 NSS Extended ECC Build |
| SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512) |
SHA-1 (BYTE-only) |
N/A |
#1049 NSS Extended ECC Build |
| HMAC |
HMAC-SHA1, HMAC-SHA256, |
KeySize < BlockSize, |
#637 NSS Extended ECC Build |
| DRBG | N/A |
Hash_DRBG of NIST SP 800-90 |
#17 NSS Extended ECC Build |
| DSA | 512-1024 |
PQG(gen)MOD(1024); |
#367 NSS Extended ECC Build |
| RSA | 1024-8192 |
ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver); |
#534 NSS Extended ECC Build |
| ECDSA
(Extended ECC) |
163-571 |
PKG: CURVES( ALL-P ALL-K ALL-B ); |
|
| ECDSA
(Basic ECC) |
256-521 |
PKG: CURVES( ALL-P P-256 P-384 P-521 ); |
Dependant Bugs
| Bug | Description | Completed |
|---|---|---|
Testing Lab
FIPS 140 Information
NIST Cryptographic Module Validation Program
NSS FIPS 140-2 Validation Docs
NSS FIPS 140-2 Validation Docs
FIPS 140-2 Derived Test Requirements (DTR)
FIPS 140-2 Derived Test Requirements (DTR)
Vendor Information
NSS is actively supported and maintained by the following corporations:
Sun Microsystems, Inc.: http://www.sun.com/contact/
Red Hat, Inc.: http://www.redhat.com/about/contact/
Mozilla Foundation, Inc.: http://www.mozilla.org/contact/
Schedule
| Milestone | Item | Deps | Time | Who | Completed |
|---|---|---|---|---|---|
| M1 | Initial Setup | ||||
| 1a | Choose validation Lab, approve costs, and sign NDA | all | all | Atlan | |
| 1d | Define Algorithms, Key Sizes and modes | ||||
| M2 | Complete NSS 3.12 FIPS dependant bugs | ||||
| M3 | Update documentation (numbers in parentheses refer to sections in FIPS documentation) | ||||
| 3a. | (1.0) Security policy, new algorithms | 1d | 2 wks | all | |
| 3b. | Generate annotated source tree (LXR -> HTML) | M2 | |||
| 3c. | (2.0) Finite State Machine | 3b | 3 wks | ||
| 3d. | (3.0/4.0) Cryptographic Module Definition | 3b | 2 wks | ||
| 3e. | (6.0) Software Security (rules-to-code map) | 3b | 2 wks | ||
| 3f. | (8.0) Key Management Generate 20K random #'s | 1 day | |||
| 3g. | (9.0) Cryptographic Algs | 3a | 3 days | ||
| 3h. | (10.0) Operational Test Plan | 1 day | |||
| 3i. | Document architectural changes between 3.2 and 3.11 | 5 days | |||
| M4 | Send docs to testing lab | ||||
| 4a. | Security Policy | all | |||
| 4b. | Finite State Machine | 3c | |||
| 4c. | Module Def. / rules-to-code | 3d,3e | |||
| M5 | Operational validation | ||||
| 5a. | Algorithm testing | 1 month | |||
| 5b. | Operational testing | 3h | 1 week | ||
| 5c | set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) | ||||
| M6 | Internal QA of docs | M2-M5 | 1 week | all | |
| M7 | Communication between NSS team / Lab / NIST about status of validation / algorithm certificates | M1-5 | 3-6 mos | all |
