Wednesday, May 9, 2018

ICMC18: Update on the Automated Cryptographic Validation Program (ACVP)

Udate on the Automated Cryptographic Validation Program (ACVP) (C12a) Apostol Vassilev, NIST, United States; Tim Anderson, Amazon, United States; Harold Booth, NIST, United States; Shawn Geddis, Apple, United States; Barry Fussell, Cisco, United States; Bradley Moore, NIST, United States; Robert Relyea, Red Hat, United States

[Note: I cam in 25 minutes late and missed the demo]

Previously crypto vendors would lock down their releases against major OS releases, but with ACVP we an do more frequent validations. This just wasn't possible before at all.

Thinking to earlier talks - we need to think about the cost of not doing anything. It should not be compliance vs security (think to the airplane example), this way we can have both.

Given the pace of innovation, we are constantly doing production releases, but it's contrary to the FIPS 140-2 validation. Even if people wait for the validation, they often do not deploy it as described in the security policy, or allow restricted algorithms.

Faster and easier validations means more choices for governments and those that require validated products. That will bring the price down.

Question on anticipated cost - No answer, yet, but it can't be free. We have to be able to pay for hosting services at Amazon, developers and maintenance work on tool. Bigger companies may do a subscription model, smaller ones may want to do one-offs. Want to make it workable and affordable in both models.

The demo server is available now on git hub  - instructions are online on how to get access. Now is the time to come and play and find issues. This is going to be locked down this summer, so sooner rather than later would be good. This will be "shipped' in October.

Right now, only authorized vendors will be able to participate, will need some site visits, etc., to get set up. Processes still being defined.

when will the working group be open to the labs? NIST started out by working directly by talking to vendors, because they had accidentally outsourced that job to the labs. Want to continue to keep the dialogue open to vendors. Labs will have a role, but not necessarily in this working group (possibly via CMUF, etc).. It's  a lot of work and energy to handle what is currently happening, will figure out the right way to engage.

Will the NV lab certification for vendors be the same as the labs do today? If they want to be certified  as a lab - then, yes.  Do you have to do this if you want to keep working with CAVP? Only if you want to use the automated system, or  you can continue to work with a lab.

There will always be a demo environment to try against before you final testing, and even receive test vectors. You can integrate this into your CI (Continuous Integration) framework.  You should be doing this early and often. There is lots of documentation out there. Currently works in MacOS, Windows and Linux environments.

Right now, labs answer our questions - who will do that in the future? That could still be the labs, no reason they could not help you do this.

Good session!