The bug was introduced in 2012, and it took almost two years to be fixed. OpenSSL’s reputation took a serious hit in 2014 with the Hearbleed bug that allowed attackers to steal the information protected by the SSL/TLS encryption used for most secure Internet communication. Since May 25, 2002, the CMVP has only accepted test reports against FIPS 140-2.OpenSSL 3.0 has just been released after three years of development, and over 7,500 commits and contributions from over 350 different authors with a new FIPS module that awaits FIPS 140-2 validation by the end of the year, improved documentation, and a change to an Apache License 2.0.The CMVP accepted test reports from CST laboratories against either FIPS 140-1 or FIPS 140-2 and the applicable DTR from Novemto when the transition period ended.FIPS 140-2 was signed on and became effective Novemwhen Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules was published. ![]() This is intended to provide clarifications of CMVP programmatic guidance, FIPS 140-2, FIPS 140-2 Derived Test Requirements, testing guidance, and guidance related to the implementation of Approved or non-Approved security functions. NIST and CSE have developed an Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program document for cryptographic module users, vendors and testing laboratories. The DTR lists all of the vendor and tester requirements for validating a cryptographic module, and it is the basis of testing done by the CST accredited laboratories. FIPS 140-2 Annexes:Īnnex A: Approved Security Functions Īnnex B: Approved Protection Profiles Īnnex C: Approved Random Number Generators Īnnex D: Approved Key Establishment Techniques Testing Requirements:Ĭryptographic module validation testing is performed using the Derived Test Requirements for FIPS PUB 140-2, Security Requirements for Cryptographic Modules . The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address). It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic module is not necessarily the most important rating. On a vendor's validation certificate, individual ratings are listed, as well as the overall rating. For each area, a cryptographic module receives a security level rating (1-4, from lowest to highest) depending on what requirements are met.Īn overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. ![]() Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for Cryptographic Modules . NVLAP accredited Cryptographic and Security Testing (CST) Laboratories perform conformance testing of cryptographic modules. FIPS 140-2 (ending Sept-22-2021) Security Requirements for Cryptographic Modules
0 Comments
Leave a Reply. |