FIPS Validation
NSS FIPS 140 validation
NSS has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007. This page documents our recent NSS FIPS 140 validation.
Target Release: Softoken 3.11.4
Softoken is a component of NSS, and has a separate version number. Softoken 3.11.4 is in NSS 3.11.4 and NSS 3.11.5, which means these two versions of NSS will both be FIPS 140 validated.
Updates
August 27, 2007: Our Level 2 cert has been issued! NSS Level 2 Cert
August 8, 2007: Our Level 1 cert has been issued! NSS Level 1 Cert
August 2, 2007: we advanced to Finalization state according to FIPS 140-2 Pre-validation List. This means the certs should be issued soon.
March 23, 2007: we advanced to Coordination state according to FIPS 140-2 Pre-validation List. This means we are in the final stages, answering questions from NIST. One more state to go...
January 18, 2007: we advanced to the In Review state on the FIPS 140-2 Pre-validation List. This means the two-month wait for a NIST reviewer to be assigned to our case is over.
November 16, 2006: Aspect Labs submitted the test report to NIST for validation. We advanced to the Review Pending state on the FIPS 140-2 Pre-validation List.
June 30, 2006: we have received the remaining four algorithm certificates: RNG (certificate #208), DSA (certificate #172), RSA (certificate #152), and ECDSA (certificate #30).
June 23, 2006: we are now on the FIPS 140-2 Pre-validation List.
June 15, 2006: we addressed the deficiencies in Chapter 1-4 of the documentation.
April 13, 2006 status: we are having RNG, DSA, and RSA validated now. We are updating our Security Policy and writing our responses to the vendor requirements in the FIPS 140-2 Derived Test Requirements (DTR).
January 20, 2006 status: we have received four algorithm certificates: AES (certificate #352), Triple DES (certificate #410), SHS (certificate #426), and HMAC (certificate #152).
Platforms
- Level 1
- RHEL 4 x86 (was: RHEL 3 x86)
- Windows XP Service Pack 2
- 64-bit Solaris 10 AMD64
- HP-UX B.11.11 PA-RISC
- Mac OS X 10.4
- Level 2
- RHEL 4 x86_64 (was: RHEL 4 x86)
- 64-bit Trusted Solaris 8 SPARC
Schedule
| Milestone | Item | Deps | Time | Who | Completed |
|---|---|---|---|---|---|
| M1 | Initial Setup | ||||
| 1a | Choose validation Lab, approve costs, and sign NDA | all | all | Aspect Labs | |
| 1b | Review FIPs 140-2 and compare to FIPS 140-1 | all | X | ||
| 1c | Aspect Labs Training course June 21st and June 22nd | X | |||
| 1d | Define Algorithms, Key Sizes and modes | X | |||
| M2 | Complete NSS 3.11 FIPS dependant bugs | X | |||
| M3 | Update documentation (numbers in parentheses refer to sections in FIPS documentation) | ||||
| 3a. | (1.0) Security policy, new algorithms | 1d | 2 wks | all | x |
| 3b. | Generate annotated source tree (LXR -> HTML) | M2 | x | ||
| 3c. | (2.0) Finite State Machine | 3b | 3 wks | x | |
| 3d. | (3.0/4.0) Cryptographic Module Definition | 3b | 2 wks | x | |
| 3e. | (6.0) Software Security (rules-to-code map) | 3b | 2 wks | x | |
| 3f. | (8.0) Key Management Generate 20K random #'s | 1 day | x | ||
| 3g. | (9.0) Cryptographic Algs | 3a | 3 days | x | |
| 3h. | (10.0) Operational Test Plan | 1 day | x | ||
| 3i. | Document architectural changes between 3.2 and 3.11 | 5 days | x | ||
| M4 | Send docs to testing lab | x | |||
| 4a. | Security Policy | all | x | ||
| 4b. | Finite State Machine | 3c | x | ||
| 4c. | Module Def. / rules-to-code | 3d,3e | x | ||
| M5 | Operational validation | x | |||
| 5a. | Algorithm testing | 1 month | x | ||
| 5b. | Operational testing | 3h | 1 week | x | |
| 5c | set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) | x | |||
| M6 | Internal QA of docs | M2-M5 | 1 week | all | x |
| M7 | Communication between NSS team / Lab / NIST about status of validation / algorithm certificates | M1-5 | 3-6 mos | all | x |
Algorithms
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms:
| Algorithms | Key Size | Modes | Testing Completed |
|---|---|---|---|
| TripleDES | KO 1,2,3 (56,112,168) |
TECB(e/d; KO 1,2,3) |
Certificate #410 for x86 CPUs |
| AES | 128/192/256 |
ECB(e/d; 128,192,256) |
|
| SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512) |
SHA-1 (BYTE-only) |
N/A | |
| HMAC |
HMAC-SHA1, HMAC-SHA256, |
KeySize < BlockSize, |
|
| RNG | N/A |
FIPS 186-2
[(x-Change Notice);
(SHA-1)] |
|
| DSA | 512-1024 |
PQG(gen)MOD(ALL); |
|
| RSA | 1024-8192 |
ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver); |
|
| ECDSA
(Extended ECC) |
163-571 |
PKG: CURVES( ALL-P ALL-K ALL-B ); |
|
| ECDSA
(Basic ECC) |
256-521 |
PKG: CURVES( ALL-P P-256 P-384 P-521 ); |
In this validation, we should validate AES and Triple DES first because their implementations are stable. Next we should test SHS because RNG and DSA depend on SHA-1. After SHS is tested, we can test HMAC. Finally, when the new RNG and big num library code is checked in, we can test the rest of the algorithms (RNG, DSA, and RSA).
Dependant Bugs
| Bug | Description | Completed |
|---|---|---|
| 259135 | power-up self-tests needed for SHA-256,384,512 and AES | Completed |
| 294106 | Implement the recommended PRNG changes described in FIPS 186-2 Change Notice 1 | Completed |
| 298506 | Implement logging for auditable events required by FIPS 140-2 | Completed |
| 298511 | Increase FIPS 186-2 RNG internal state size | Completed |
| 298512 | Ensure the seed and seed key input for RNG do not have same value for FIPS 140-2 | Completed |
| 298513 | Implement pairwise consistency test for key transport key generation FIPS 140-2 | Completed |
| 298514 | Implement pairwise consistency for digitial signature key generation for FIPS 140-2 | Completed |
| 298516 | Implement minimum length of PINs for FIPS 140-2 mode | Completed |
| 298517 | Implement minimum time intervals for login attempts failures for FIPS 140-2 | Completed |
| 298520 | Implement key establishment must be as secure as the strength of the key being transported for FIPS 140-2 | Completed |
| 298522 | Implement more power-up self tests, such as HMAC, RSA for FIPS 140-2 | Completed |
| 305984 | Update the isFIPS information SSLCipherSuiteInfo table | Completed |
| 318958 | Implement TDEA algorithm tests for FIPS 140-2 validation | Completed |
| 318962 | Implement SHS algorithm tests for FIPS 140-2 validation | Completed |
| 318964 | Implement HMAC algorithm tests for FIPS 140-2 validation | Completed |
| 318966 | Implement RNG algorithm tests for FIPS 140-2 validation | Completed |
| 318967 | Implement DSA algorithm tests for FIPS 140-2 validation | Completed |
| 318970 | Implement RSA algorithm tests for FIPS 140-2 validation | Completed |
| 312395 | Enhance fipstest to perform FIPS AES algorithm testing | Completed |
| 342362 | Need https://ftp.mozilla.org for secure download of NSS releases. | Completed |
Bugs to Fix
After we submitted the NSS cryptographic module version 3.11.4 to NIST for validation, we found some bugs that are not serious enough to warrant retesting, but should be fixed if we have a chance to make changes to the module.
- Bug 361089: memory leak in mp_bdivmod. (in NSS 3.11.7) Note: This bug fix requires retesting the ECDSA (Extended ECC) implementation.
- Bug 331404: NSS may crash in initialization when windows file system contains REALLY OLD files. (in NSS 3.11.7) Note: The msvcr80.dll bug seems to have been fixed in Visual C++ 2005 SP1.
- Bug 362173: The NSS cryptographic module should have its own version numbers. (in NSS 3.11.6)
- Bug 362404: the browser's security component could not be initialized on Windows 95 OSR2.
- Bug 51429: RNG_SystemInfoForRNG possible "netstat" zombie process (in NSS 3.11.6)
- Bug 364684: NSS crashes when slot's session handle counter overflows. (in NSS 3.11.6)
Testing Lab
FIPS 140 Information
NIST Cryptographic Module Validation Program
NSS FIPS 140-2 Validation Docs
NSS FIPS 140-2 Validation Docs