Friday, November 6, 2015

ICMC15: Commonly Accepted Keys and CSPs Initiative

Ryan Thomas, FIPS 140-2 Program Manager, CGI Global Labs

Vendors understand their products and security, but are mystefied with how to list keys/CSPs in the way that the CMVP want.

The labs understand the requirements, and review any different types of vendor submissions that meet the requirements - and really want to provide something that is consistent and easy to review by CMVP.

Ryan has the idea to make life simpler, by creating a shared template for Keys and CSPs table.  He's gotten feedback already from CMVP.

Vendors will benefit from a pre-populated list that they can customize to your implementation - saves time and effort!

This isn't perfectly straight forward - will vary by software vs hardware modules.  Does it have persistent or ephemeral keys?  If it's software, likely are not making key storage claims.

Picture of template.....

Column #1 - Key/CSP Name. Mapped to NIST SP, ISO or IETF RFC - ie normalized names, a consistent and clear name that means the same thing to everyone.

Column #2 - Key/CSP type - type of key, algorithm and size.

Column #3 - Generation Input. Explain how the keys are derived or generated. If it's entered, specify if the CSP is entered electronically or manually/encrypted or plain text.

Column #4 - Output - encrypted or plain text

Column #5 - Storage. is it stored in memory, flash, HD, etc. ( encrypted or not). (there seemed to be 2 #4 columns,  so my numbering is off).

Column #6 - Use. how is the key used during module operation?  Needs to be mapped directly to an approved service that the crypto module performs.

Column #7 - Zeroization. How will the CSP be zeroized?  All possible techniquest need to be listed.

As for case studies, Ryan started with a "simple" IST SP 800-90A hash based DRBG.  Still found some inconsistencies.

More difficult are network protocols, like SSH, SNMP, IPsec and IKE - IKE is particularly tough.

TLS has a lot of potential rows, so want to work with the CMVP on this one as well, before showing to the public.

This will get posted to the CMUF (Cryptographic Module User Foundation?) site, contact Matt Keller if you need access.

Jennifer Cawthra, CMVP Program Manager, NIST - notes that this would really be appreciated, as it will help speed up their reviews, etc.  They are also looking for a security policy template - which the CMUF is also thinking of picking up.

From a vendor perspective, this looks pretty cool.  I think by having a standard template, we could then freely discuss with other vendors and not have to worry about disclosing some proprietary format, there could be websites to help walk us through, etc.


Post by Valerie Fenwick, syndicated from Security, Beer, Theater and Biking!