Randall Easter, NIST, Security Testing, Security Management & Assurance Group
FIPS 140-1 was published in January 1994, and a year later there came the Derived Test Requirements and guidelines for how to test to these DTRs. The standard has continued to evolve over the last 20 years. FIPS 140-2 was published in May 2001. The DTRs cannot be written until after the standard has stopped fluctuating, which is why there's always a delay.
The goal of the Cryptographic Module Validation Program (CMVP) is to show a level of compliance to given standards. They also desire to finish the testing and validation while the software/hardware is still current and shipping (ed note: not a goal that has been consistently met in recent years - goals and budget do not always align).
NISTs goal is to reevaluate standards every 5 years to make sure they are still current.
A request for feedback and comments on FIPS 140-2 came out in 2005. At the same time, the international community wanted to have a rough international equivalent of FIPS 140. ISO/IEC 19790: 2006 was published in March 2006, which was a rough equivalent to FIPS 140-2. This included editorial changes to clarify items that people were interpreting differently - perhaps roughly equivalent to Implementation Guidance we've received for FIPS 140-2?
The original goal of doing ISO/IEC standard in parallel with FIPS 140-3, so that we could get the best of both worlds. International participation and an international standard, and a new FIPS 140 document at the same time. The problem with ISO standards - they are worked on privately and even the "public" final version must be purchased. The FIPS 140 standards are downloadable for free from NIST's website.
ISO/IEC 19790:2012 was pulbished on August 15, 2012 and the DTRs came out in January 2014.
The draft for FIPS 140-3 came out in January 2005, but never became a formal standard. What happened?
Mr. Easter noted that there was a change of ownership of the document and FIPS 140-3 quickly diverged from ISO. ISO has very strict standards about meeting twice a year, and insists on progress or your work will be dropped. Work on FIPS 140-3 stalled in NIST... but work had to forge ahead with ISO.
Mr. Easter, editor of the ISO document, is happy with how it's come out. :-)
While ISO/IEC 19790:2012 has been out since... 2012, NIST has not formally announced that their intention is to move to this standard. That lack of announcement seems to be a political one, as the person that should be making that announcement hasn't been hired, yet....
One interesting change in the ISO document is that it covers algorithms that are not approved by the US Government, but are used regularly by the international community. There is a concept of a wrapper document where more algorithms could be added and clauses modified - but the more someone does that, it will cause standard divergence.
The ISO document was worked on by the international community and circulated to all of the labs that do FIPS 140-2 validations to provide comments. Mr. Easter believes it was better circulated than a NIST review would be. I would disagree here, as ISO is a closed process, so developers could not provide feedback from their sides (and believe me - developers and labs speak a different language, and I am certain our feedback would've been unique and valuable)
ISO/IEC 19790:2012 contains new sections on Software Security
and Non-Invasive Security, and have removed the Finite State Model. FIPS 140-2 was very hardware specific - built around hardware DES modules. The new standard acknowledges that software exists. ;-)
NIST did hold a Software Security Workshop in 2008, to try to learn more about how software works. Software could then be validated to higher levels and were tied to Common Criteria. Based on input from this workshop, the levels software could validate against were changed and the relationship to Common Criteria was severed - that made it into the 2009 draft of FIPS 140-3. Unfortunately, that was the last draft of FIPS 140-3 and the standard never became final.
Looking at an appendix of FIPS 140-2 vs ISO/IEC 19790:2012 - very similar, with the notable differences, like Finite State Model being dropped and a new software/firmware section added. There's now guidance on non-invasive security testing and sensitive security parameter management.
The Annexes of ISO/IEC 19790:2012 sound more helpful - there's an entire appendix telling you what the documentation requirements are. I n FIPS 140-2, you just had to troll your way through the entire document and hope you caught all of the "though shall document this" clauses.
One of the annexes is about approved authentication mechanisms... unfortunately, at this time, there are no formal authentication mechanisms. Hopefully that can be covered in Implementation Guidance.
The big goals for ISO/IEC 19790:2006 were to harmonize with FIPS 140-3 (140-3 will now be a wrapper document referring to the ISO document), editorial clarifications from lessons learned (Randy noted that he wasn't even sure exactly what he was trying to say when he re-read things years later ;), incorporation of all of the FIPS 140-2 implementation guidance and most of all entropy guidance (ah, entropy.... ).
Additionally, need to address new technologies - we're putting entire algorithms on chips, and sometimes just pieces of algorithms. How does that fit into the boundary? That is where technology is going, and a modern standard needs to understand that and take it into consideration, in ways that FIPS 140-2 simply couldn't have conceived.
Software will take advantage of this - it only makes sense, but that starts to put us into hybrid mode. This is covered in the new ISO standard, not just as implementation guidance.
The new ISO standard addresses the trusted channel without reference to Common Criteria. ISO/IEC 19790:2012 added a new requirement - a service to query version information. This is interesting to us in OS land, as our FIPS version number and OS version number are not the same. See this with other software vendors as well.
Integrity check is simpler for level 1 in this new standard, but more difficult for levels 2 and higher.
The new software security requirements section is definitely an improvement over FIPS 140-2, but still not as good as it could be. ISO did not get very much feedback on this section in the time frame where they made the request.
The ISO standard had to remove the reliance on Common Criteria, as NIAP is moving away from those evaluations and the protection profiles are up in the air. The ISO group didn't want to tie themselves to a moving target, instead added specific requirements for things like auditing that the operating system should provide, if you want to get Level 2. In general, software won't be able to get over Level 2 in this new standard.
An interesting side note, you can actually have a "mix & match" of your levels. You could have "Level 2" for certain levels, and have an overall "Level 1" validation (based around your lowest section). For example, for United States Post Office postage meters they want Level 3 Physical Security, but overall Level 2 for everything else. It's important that people cannot break into the machine, but things like RBAC (role based access control) are not as important.
ISO/IEC 19790 added new temperature requirements. That is, you have to test at the extremes that the vendor claims the module operates at. Though, if the vendor only wants to claim at ambient temperature - that would be noted in the security policy. They should be tested at the "shipping range" as well. Reason? Imagine leaving your epoxy covered Level 4 crypto device on a dashboard of a car in the summer.... well, that epoxy melts. Would it really still be a Level 4 device after that? No, so temperature range is important.
We no longer require all of the self-tests be completed before the module is run. For example, if you're going to use AES - you only need to run the known answer tests on AES, not on ALL of the algorithms. NIST understood that for devices like contactless smartcards - can't wait forever for the door to open to your office. Now power-on-self-tests are conditional, as opposed to required all the time.
The new standard adds periodic self tests, at a defined interval (with option to defer when critical operations are already in use).
There is a new section on life-cycle assurance and coverage for End of Life - what do you do with this crypto box when you're upgrading to the shiny new hardware?
Keep in mind that this is still a revision of FIPS 140-2. It is not a completely new document. The document will seem familiar, but it should overall be more readable and provide greater assurance. We didn't add things just because they sounded like fun ways to torture the vendor, even if some vendors may think that ;-)
Questions from the audience: "Will we be getting rid of Implementation Guidance?" No, we can't possibly guarantee to get everything correct in the first standard, and technology changes faster than the main document. "Can we stop calling it Guidance? If vendors can't refuse to do it, then it's not guidance." It's always been called that, you can choose to not follow it - but you won't pass your validition. Maybe we should change the name, a contest perhaps? (Suggestion from the audience, "call it requirements, as that's what they are - you are required to follow them") My suggestion: call them "Implementation Clarifications". The word "guidance" is too much associated with advice, which this is not soft advice.
Merci! - Have you heard of the Croquembouche [CROCK-you-EAM-butchy]? It's a French thing. Well, if not, here's what it's *supposed* to look like: So kinda like o...