National Institute of Standards and Technology
Implementation Guidance for FIPS PUB 140-1, continued
PART 4 (sections 8-11)
Continued from Part 3 (sections 5-7)
Go to:
NOTE: Internal links will be added to this document in the near future...
Question/Problem
What methods for key management are currently FIPS-approved?
Resolution
FIPS 140-1 states that several aspects of key management must use FIPS-approved methods. Below is a list of currently acceptable FIPS-approved methods (as of the "Date Issued" listed above):
- Key generation:
- Note: Whenever a module generates a key to be used with a FIPS-approved algorithm (e.g., for generating/verifying a signature, encrypting another key, encrypting data, etc.), then that key shall be generated using one of the methods listed below.
- Pseudorandom number generation:
- ANSI X9.17, Financial Institution Key Management (Wholesale), Appendix C (referred to by FIPS 171, Key Management Using ANSI X9.17);
- FIPS 186, Digital Signature Standard (DSS), Appendix 3.1;
- FIPS 186, Appendix 3.2.
- Random number generation: Currently, there is no FIPS-approved random number generator. However, FIPS 186 allows for such a random number generator to be used in generating values for x and k (provided that in the future there exists a FIPS for random number generation - 10/29/97).
(10/29/97)
For key generation, FIPS 186 specifically states in Appendix 3 that "They (keys) shall be generated by the techniques given in this appendix, or using other FIPS approved security methods." This applies to the generation of any key used by a FIPS-approved algorithm, within a FIPS 140-1 cryptomodule. It is acceptable for the output of a random number generator to generate a seed value for one of the FIPS-approved pseudorandom number generators listed above, in order to generate keys.
- Key distribution:
- Secret key based:
- FIPS 171, Key Management Using ANSI X9.17
- Public key based: Currently, there is no FIPS-approved public-key based key distribution technique. Until such time as one is available, commercially available public key methods may be used.
Additional Comments
If there is a question concerning whether or not a particular public-key based key distribution method is acceptable or not, the vendor shall contact NIST either directly or through a CMT laboratory (if the vendor has a working relationship with such a lab) for a decision.
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS08.08 |
| Relevant Test Requirements: |
TE08.08.01 |
| Relevant Vendor Requirements: |
VE08.08.01 |
Question/Problem
What public-key methods are acceptable to use in support of key management? Are there currently any FIPS-approved methods for this?
Resolution
FIPS 140-1 states that "Until such time as a FIPS-approved public key-based key distribution technique is established, commercially available public key methods may be used." [FIPS 140-1, 4.8.2]. Currently, there are no FIPS-approved public-key methods for distributing keys.
There are implementations of such methods which use a combination of a public-key algorithm and a hashing algorithm. In this case, the hashing algorithm used shall be a FIPS-approved hashing algorithm (e.g., FIPS 180-1, Secure Hash Standard (SHS)); use of a non-FIPS approved hashing algorithm in this situation would NOT be acceptable.
Additional Comments
If there is a question concerning whether or not a particular public-key based key distribution method is acceptable or not, the vendor shall contact NIST either directly or through a CMT laboratory (if the vendor has a working relationship with such a lab) for a decision.
Question/Problem
Can a key loader be part of the cryptomodule, and if so, what are the requirements at Level 3?
Resolution
If a key loader is not included as part of the cryptomodule, then the secret or private keys must pass from the key loader to the cryptomodule in one of the two ways listed in AS08.15 (encrypted or using split knowledge procedures). If the key loader is included as part of the module, then the secret or private keys must pass into the key loader in one of the two ways listed in AS08.15. Note that at Level 3 there are additional restrictions placed on key entry and user identification (refer to AS08.16). Also, defining the key loader to be within the cryptoboundary has implications on physical security requirements, among other areas (see the guidance on "Key loader physical security requirements at Level 3").
The requirements for key entry at Levels 3 and 4 (requiring entry of encrypted keys or using split knowledge procedures) were specified to allow for environments where dual control of keys is desired. The implication is carried in the requirements that the cryptographic module must have the capability to support a key entry function that requires more than one user to have control during the key entry process.
Additional Comments
| Applicable Levels: |
ALL |
| Effective Dates: |
6/1/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS08.08 |
| Relevant Test Requirements: |
TE08.08.01 |
| Relevant Vendor Requirements: |
VE08.08.01 |
Question/Problem
If a cryptomodule implements FIPS 171 key management, and it is not a validated implementation of FIPS171 (i.e., there is no validation certificate that can be presented to the lab), what is tested and what information must be provided by the vendor?
Resolution
Since NIST's validation test suite for FIPS 171 is no longer operational, some other method is needed to determine if FIPS 171 requirements have been met. (A full-blown validation of ANSI X9.17 and FIPS 171 are not expected.) Thus, the following process will be used during FIPS 140-1 testing, within the scope of Vendor Required Information and Testing Requirements for AS08.08:
- The vendor provides the lab with written affirmation of compliance to FIPS 171. This affirmation shall include supporting statements which show how all 27 elements of FIPS 171 are addressed (particularly those X9.17 options which are specified as mandatory in FIPS 171), and shall identify exactly where these elements are addressed in the cryptomodule's source code. Some of the optional elements may in fact not be implemented - in that case, the vendor should indicate that these options are not implemented.
- Based on the vendor's written affirmation, the lab shall verify that the FIPS 171 elements affirmed to be implemented in the cryptomodule actually correspond with elements listed in FIPS 171. In addition, the lab shall verify that the mandatory elements in FIPS 171 are addressed in the written affirmation. (e.g., Vendor affirmation states that "Key notarization is implemented as required in element #10 of FIPS 171, and it occurs within the 'notarize_key()' function in the 'key_mgmt.c' file. This function is called from the following places within the source code: . . ."; the lab also verifies that key notarization is required by FIPS 171.)
- The lab then compares the cryptomodule code with the appropriate FIPS 171 element, referencing the appropriate specification in ANSI X9.17 as necessary. (e.g., The lab compares the key notarization implementation with steps listed in section 7.5 of ANSI X9.17 to verify that notarization is being done correctly.) This is intended to verify the correct implementation of the particular FIPS 171 requirement, and NOT the verification of all elements of ANSI X9.17. Verification by the lab is especially important for the 16 elements in FIPS 171 which are identified as "mandatory" or "forbidden".
Additional Comments
Question/Problem
Are there any particular requirements regarding the generation of initialization vectors?
Resolution
Requirements for the size and generation of DES initialization vectors are derived from FIPS 74 and FIPS 81:
IV Size: The required IV length for the various modes of DES, based on FIPS 74 and 81, is as follows:
| CBC |
64 bits |
| CFB |
48-64 bits |
| OFB |
64 bits |
IV Generation: There are several cases involving IV generation - one when the IV is generated externally, and then loaded into the module for use, and another when the IV is generated internally:
- IVs generated outside a 140-1 cryptomodule:
The randomness of externally generated IVs does not have to be checked by the module using that IV; however, the IV must be of the required minimum length for the appropriate DES mode (as indicated above).
In addition, if the IV is to be used with DES in the OFB mode, then it is not acceptable for the IV to remain fixed for multiple encryptions, if the same key is used for those encryptions.
- IVs generated inside a 140-1 cryptomodule:
- IVs generated within a module shall be pseudorandomly or randomly generated.
- IVs may be generated with a FIPS-approved pseudorandom number generator (PRNG) or random number generator (RNG) (see Guidance 8.1). In addition, FIPS 74 states that "The DES may be used as a pseudorandom number generator to generate the IV."
In the case where a module generates IVs with a method that is non-FIPS approved, then the lab shall 1) inform NIST/CSE of this fact, and 2) be able to demonstrate that the IV generator is capable of generating random data. This shall be accomplished by running one or more of the statistical random number generator tests from section 4.11.1 of FIPS 140-1, as required under TE08.05.01.
Any RNG or PRNG that is used to generate IVs shall fulfill all relevant requirements in FIPS 140-1, including the Continuous RNG self-test (AS11.22). There may be other applicable tests. For example, if level 3 or 4 is desired, then a statistical RNG/PRNG self-test must be implemented internally by the module (AS11.16).
Additional Comments
NOTE: All cryptographic algorithms (both FIPS-approved and non-FIPS approved) implemented in the cryptographic module shall be listed in the validation report. This information will then be included in the validation certificate.
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS09.01 |
| Relevant Test Requirements: |
TE09.01.01 |
| Relevant Vendor Requirements: |
VE09.01.01 |
Question/Problem
What is the current set of FIPS-approved cryptographic algorithms?
Resolution
Below is the current list of FIPS-approved cryptographic algorithms:
- Encryption (Secret-key based):
- Data Encryption Algorithm, in FIPS 46-2, Data Encryption Standard (DES), using the various modes specified in FIPS 81, DES Modes of Operation.
- Skipjack Algorithm, referred to in FIPS 185, Escrowed Encryption Standard (EES) and specified in the R21 Technical Report entitled "SKIPJACK" (S) (R21-TECH-044-91), using the modes specified in FIPS 81.
- Electronic signatures (Secret-key based):
- Data Authentication Algorithm (a.k.a., Message Authentication Code (MAC)), in FIPS 113, Computer Data Authentication.
- Digital signatures (Public-key based):
- Digital Signature Algorithm (DSA), specified in FIPS 186, Digital Signature Standard (DSS).
- Hash (message digest) generation:
- Secure Hash Algorithm (SHA-1), in FIPS 180-1 (SHS).
Additional Comments
NOTE: See the guidance under section 8 in this document which lists the current FIPS-approved methods for:
- Key generation, and
- Key distribution.
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS09.01 |
| Relevant Test Requirements: |
TE09.01.01 |
| Relevant Vendor Requirements: |
VE09.01.01 |
Question/Problem
Can a cryptomodule be validated even though it does not contain a FIPS approved cryptographic algorithm?
Resolution
No, a FIPS 140-1 cryptomodule must implement at least one FIPS-approved cryptographic algorithm in order to be a candidate for validation by NIST and CSE.
Additional Comments
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS09.01 |
| Relevant Test Requirements: |
TE09.01.01 |
| Relevant Vendor Requirements: |
VE09.01.01 |
Question/Problem
Can an implementation of SHA-1 perform hashing only on byte-oriented data, or is it required to hash messages of any bit length?
Resolution
FIPS 180-1, the Secure Hash Standard, allows for the hashing of messages that are of any bit length ( < 264 bits), and does not require that messages be of a byte length (equal to a multiple of 8 bits). However, some cryptomodules, or interfaces to the cryptomodules, are designed to hash data only on a byte-oriented basis. As long as this hashing is performed correctly (i.e., in accordance with specs in FIPS 180-1), then this is acceptable.
If an SHA-1 implementation successfully passes SHA-1 validation tests for byte-oriented messages only, then the SHS Validation Certificate shall indicate that the implementation has been validated only for the hashing of byte-ordered data.
Additional Comments
| Applicable Levels: |
ALL |
| Effective Dates: |
4/9/98- |
| Last Modified: |
|
| Relevant Assertions: |
AS09.01 |
| Relevant Test Requirements: |
TE09.01.01 |
| Relevant Vendor Requirements: |
VE09.01.01 |
Question/Problem
What kind of testing must be done for a Triple DES implementation to be considered as part of the "FIPS-mode" of a validated cryptomodule, since there are currently no specific Triple DES validation tests? (Also see guidance G.6)
Resolution
If Triple DES is being implemented in a 140-1 module, then - until NIST has specific Triple DES conformance tests - in order for NIST to recognize that implementation, it must meet several critieria:
- the DES engine(s) used within the Triple DES implementation must be validated as conforming to FIPS 46-2/81 as appropriate; and
- it must implement one or more of the following modes of Triple DES (a.k.a. TDEA) listed in draft American National Standard X9.52, "Triple Data Encryption Algorithm" in section 3.3:
- TDEA Electronic Codebook Mode (TECB);
- TDEA Cipher Block Chaining Mode (TCBC);
- TDEA Cipher Block Chaining Mode - Interleaved (TCBC-I);
- TDEA Cipher Feedback Mode (TCFB);
- TDEA Cipher Feedback Mode - Pipelined (TCFB-P);
- TDEA Output Feedback Mode (TOFB);
- TDEA Output Feedback Mode - Pipelined (TOFB-P);
* Note that modes 8) TDEA Cipher Block Chaining with Output Feedback Masking (TCBCM) and 9) TDEA Cipher Block Chaining with Output Feedback Masking - Interleaved (TCBCM-I) will NOT be recognized as being FIPS 140-1 compliant.
Additional Comments
Question/Problem
Is it true that the FCC allows self-certification of a device to FCC Part 15, Subpart J, Class A (for business use)? If so, is self-certification acceptable for meeting the requirements of section 10?
Resolution
Below is a list of the procedures required for various devices to be deemed as conforming to FCC requirements in 47 CFR Part 15 for
- radio receivers, and
- personal computers and peripherals designated for
- business use (Class A), and
- home use (Class B)
This information was accurate at the time that this guidance was issued, and may change in the future as a result of FCC requirements changes.
[Part 15 applies to non-intentional emitters and low power transmitters. Low power transmitters (eg., garage door openers, <1W spread spectrum devices, and keyless entry systems) can achieve compliance with FCC requirements under Part 15.
(Subpart J does not apply to non-intentional radiators - this was changed in 1992. Non-intentional emitter requirements now reside in Subpart B of FCC Part 15.)
High power radio transmitters, and transmitters providing certain classes of service (eg., land mobile, business use, etc.) must be "Type Accepted" according to the appropriate Rule Part, which is based on the designated band and service that the transmitter is to be used.]
*Note that these are procedures that the vendor should have already taken with an FCC-approved lab - these are not new requirements for CMT labs. In each of the cases below, information is listed which a CMT lab shall require from a vendor. The information provided to the CMT lab shall be reflected in the 140-1 validation report.
- Radios (both transmitters and receivers)
- FCC Procedures:
- A "listed" lab tests a device for conformance to FCC requirements. ("Listed" means that the FCC has determined that a lab meets certain FCC criteria based on a filing of site description and site performance data--it does not imply accreditation by the FCC.)
- The lab issues a test report, and either the lab or vendor submits that report to the FCC, along with a formal Application for "Certification", "Notification" or "Type Acceptance", as required by the type of device. The applicant submits a proposed FCC ID Number which is composed of the combination of an FCC Grantee Code prefix (a 3 alpha-character code assigned by the FCC) and a number of discretionary suffix digits that are the choice of the applicant.
- If all is in order, the FCC Grants an Equipment Authorization; the vendor can then legally sell the equipment. The FCC ID number must be applied to the equipment with appropriate warning statements on the label and in the user's manual.
- ***CMT Lab Procedures (applicable to AS10.01):
- The CMT lab shall request the FCC ID number from the cryptomodule vendor.
- Personal Computers and Peripheral Equipment: non-intentional emitters (Class A - business use)
- FCC Procedures:
- A facility with equipment and a site that satisfies the FCC's requirements tests a device for conformance to FCC requirements.
- The lab issues a test report to the vendor.
- The vendor then puts a sticker bearing the proper warning statement on its equipment. However, this sticker does NOT bear an FCC ID number, since no such number is issued.
- ***CMT Lab Procedures (applicable to AS10.02):
- The CMT lab shall request the following information from the cryptomodule vendor:
- the name of FCC testing laboratory,
- the ID# of lab's test report, and
- the test report date.
- PCs and Peripherals (Class B - home use)
There are two types of procedures approved by the FCC which may be used by a vendor with a Class B product:
- FCC Procedure #1:
- Procedure 1 is basically identical to the procedure used for radio equipment described in section I above.
- ***CMT Lab Procedures (applicable to AS10.03):
- The CMT lab shall request the FCC ID Number from the cryptomodule vendor.
- FCC Procedure #2:
- Procedure 2 (a.k.a. "Declaration of Conformity", adopted by the FCC on May 9, 1996, and announced in the FCC's Report and Order, "FCC-96-208"):
- An accredited lab (accredited by either NVLAP or A2LA to do FCC testing for Part 15) tests a device for conformance to FCC requirements, and issues a test report to the vendor.
- The vendor then makes a "Declaration of Conformity" (DoC). This document is kept on file by the vendor - it is not filed with the FCC, but it is a releasable document.
- The vendor places a label on the equipment with the FCC logo and appropriate warning statement.
- ***CMT Lab Procedures (applicable to AS10.03):
- The CMT lab shall request a copy of the DoC from the vendor, and identify this in the 140-1 validation report.
Additional Comments
- In order to obtain the proper information from the cryptomodule vendor, it is suggested that the CMT lab ask the vendor to "provide the status of FCC approval, and whether it is Class A or Class B (if it's a PC or peripheral)"
- The list of NVLAP-accredited FCC testing laboratories can be found here.
Note that the FCC also uses laboratories accredited by other bodies, including the American Association for Laboratory Accreditation (A2LA). The A2LA home page, with a list of their accredited laboratories, is located here.
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS11.09 |
| Relevant Test Requirements: |
TE11.09.01-.02 |
| Relevant Vendor Requirements: |
VE11.09.01 |
Question/Problem
Is resetting or rebooting an acceptable method of initiating power-up self-tests on demand? Is this also an acceptable method for initiating conditional self-tests?
Resolution
Yes, resetting and rebooting a cryptomodule are acceptable means for initiating BOTH power-up self-tests on demand as well as conditional self-tests.
Additional Comments
Question/Problem
How can a known answer test be implemented for the DSA algorithm?
Resolution
In order to perform a known answer test (KAT) for the DSA algorithm, the cryptomodule would have to be able to regenerate a known signature value each time the test is performed. Signature generation with the DSA involves the generation of a k value, which would have to be fixed in order to regenerate a particular signature value. However, FIPS 186 (DSS) requires that "Parameter k must be regenerated for each signature."
For the DSA known answer test, requiring an implementation to fix the k value for self-testing purposes may pose a greater risk than not implementing a known answer test at all, plus it contradicts the requirement in FIPS 186 quoted above. Thus, it is acceptable for a cryptomodule to not implement a DSA KAT.
HOWEVER, if a DSA KAT is not implemented, then there MUST be a pairwise consistency test for the DSA algorithm (see AS11.19). This test checks to see that signatures generated by the cryptomodule are verifiable, and it shall be implemented on each DSA key pair.
Additional Comments
The absence of a DSA known answer test in a cryptomodule will be noted in an accompanying implementation note.
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS11.20 |
| Relevant Test Requirements: |
TE11.20.01-.04 |
| Relevant Vendor Requirements: |
VE11.20.01 |
Question/Problem
Who may control the key for generating a DAC or digital signature on software or firmware to be loaded into the cryptomodule? May a user who is not the manufacturer of the module control the key, and if so, under what circumstances?
Resolution
FIPS PUB 140-1 does not, in fact, stipulate who is to control a cryptographic key used to sign software. The requirements regarding this test are (1) "a cryptographic mechanism using a FIPS approved authentication technique . . . shall be applied to all validated software and firmware that can be externally loaded into a cryptographic module", and (2) "software and firmware that has been validated by the FIPS 140-1 Validation Program is considered to be validated software and firmware." (FIPS 140-1, 4.11.2).
However, if the cryptomodule manufacturer wishes to continue labeling products as complying with FIPS 140-1, then the manufacturer must continue to use a validated version of the cryptographic module software/firmware. Therefore, the manufacturer's responsibility includes ensuring that additional software/firmware is validated before loading it into the cryptomodule. If the manufacturer provides another entity with the signature key, then the manufacturer must ensure that the signer of the software is acting on the manufacturer's behalf. Normally, the manufacturer would sign the software before it was sent to the laboratory for validation testing. Once validated, the signed software could be loaded by any designated party.
Additional Comments
| Applicable Levels: |
ALL |
| Effective Dates: |
2/25/97- |
| Last Modified: |
|
| Relevant Assertions: |
AS11.14 |
| Relevant Test Requirements: |
TE11.14.01-.06 |
| Relevant Vendor Requirements: |
VE11.14.01 |
Question/Problem
AS11.14 indicates that an Error Detection Code (EDC) is an acceptable method for testing the integrity of the firmware. TE11.14.01 implies that the EDC must be FIPS-approved. What non-FIPS approved algorithms are acceptable for the calculation of EDCs that are used for software authentication? For example; is a Cyclical Redundancy Check (CRC) sufficient for an EDC?
Resolution
A FIPS-approved EDC is the Data Authentication Code (DAC) specified in FIPS 113, Computer Data Authentication.
The intent of TE11.14.01 is to have the tester verify which of two types of techniques, 1) a non-FIPS approved EDC or 2) a DAC, is used to verify the integrity of the software. Pursuant to the results of TE11.14.01, if the tester determines that an EDC is used, then test TE11.14.02 is to be performed; if a DAC is used, than test TE11.14.03 is to be performed. Test TE11.14.01 fails if the tester is unable to determine what authentication technique, if any, is being used to verify the integrity of the firmware or software.
Therefore, TE11.14.01 does not require the EDC to be FIPS-approved. A known technique such as the CRC may be used (or other common non-cryptographic firmware verification techniques); in which case TE11.14.02 applies if the tester can determine that this is the technique used. However, if a DAC is used that contains cryptographic operations such as hashing to a known value, a MAC, or a digital signature, then a FIPS-approved algorithm must be used (e.g., DSA), and either TE11.14.03 or TE11.14.04 is applicable.
Additional Comments
Continue to Part 5: Expired Guidance