FIPS 140-2 Cryptographic Module Testing

Trying to select a cryptographic and security testing laboratory?

SAIC is now your single source for testing and evaluation. We know the Common Criteria, we know the Federal Information Processing Standard (FIPS) 140, and we know how they play together.

SAIC's Cryptographic and Security Testing laboratory has received accreditation (NVLAP Lab Code 200427-0 and 200492-0) from the National Institute of Standards and Technology (NIST), National Voluntary Laboratory Accreditation Program (NVLAP) for the testing of FIPS 140-1 and FIPS 140-2, Security Requirements for Cryptographic Modules, and for testing FIPS-approved algorithms.

Our cryptographic and security testing laboratory is a leader in many areas:

• We completed the first FIPS 140-2 validation
• We have completed the most FIPS 140-2 validations
• We have been selected to perform multiple evaluations by 30+ clients

Why evaluate?

Federal agencies that specify cryptography require your module to be certified as compliant with FIPS 140-2. FIPS 140-2 requires the use of cryptography that has been validated for the protection of sensitive data within federal information systems.

FIPS 140-2 Validation Testing

The SAIC process includes a FIPS 140 compliance assessment that helps clients define the cryptographic module boundary and assess the state of all required documentation and FIPS 140-2 validation testing for security levels 1-4 for both software and hardware implementations. Your module and the required documentation are verified by SAIC to ensure compliance to the derived test requirements (DTR).

FIPS 140-2 Compliance Assessment

SAIC's Compliance Assessment service provides clients with the necessary information to successfully and efficiently validate their product(s). This two-day seminar is ideal for companies exploring:

• FIPS 140-2 validation for the first time
• FIPS 140-2 validation for a new product line
• FIPS 140-3 planning purposes

If you are considering putting your product through FIPS validation, then we can help. Our compliance assessment provides you with an in-depth review of how your product architecture measures up to the FIPS standards, as well as how to plan for future standards.

During our compliance assessment, we will explain the intricacies of validation, giving you and your company a better understanding the FIPS requirements and processes. Then we analyze each security aspect of the product against the FIPS standard, identifying any aspects of your design that do not meet its requirements.

Our interactive compliance assessment will provide you with answers to the following questions:

• What documents must be provided during the validation process?
• What hardware/software changes are necessary to bring our product into full compliance?
• How much will my validation cost (internal and external [lab and government] costs)?
• How do we effectively define the cryptographic boundary to minimize the number of validations?

At the end of the compliance assessment, the roadmap for validation will be clear. While there may be several different routes, you will be able to confidently and intelligently weigh the pros and cons of each route.

Algorithm Validation Testing

SAIC verifies your algorithm implementation is compliant with a FIPS approved algorithm and submits passing results to the Cryptographic Module Validation Program for issuance of algorithm validation certificates.

Using in-house developed tools, we handle all aspects of algorithm testing for you. Our custom tool is designed for and executes on a large number of platforms, including: AIX, Debian, HP-UX, NetWare, PocketPC, Red Hat, SuSE, Solaris, and Windows. With our algorithm testing suite, we can provide quick turnaround on the validation of your cryptographic implementations.

The following is a list of cryptographic algorithms we can validate:

• AES (FIPS 197)
• Digital Signature Algorithm (FIPS 186-2)
• Elliptic Curve DSA (FIPS 186-2)
• HMAC (FIPS 198a)
• RNG (FIPS 186-2, ANSI X9.31, ANSI X9.62, and SP800-90)
• RSA (PKCS#1 v1.5, PKCS#1 PSS, and ANSI X9.31)
• SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 (FIPS 180-2)
• Skipjack
• Triple DES (FIPS 86-3)

Cost

• All FIPS 140-2 cost quotes are firm fixed price.
• Discount FIPS 140-2 pricing is available to SAIC Common Criteria clients.

Schedule

SAIC CSTL has the ability to take on new work quickly. Our management approach utilizes a large number of expert evaluators and technical personnel who work on multiple projects. This approach enables us to begin new projects without waiting for current evaluations to be completed.

Documentation

FIPS 140-2 security level testing requires specific documentation from the vendor that includes a Security Policy, User and Crypto-Officer manual, design documentation, design assurance, attack mitigation, and other information. SAIC can help you find the best strategy for creating these materials.

How do I get my product tested?

Submit your product and documentation to the SAIC Cryptographic and Security Testing Laboratory (CSTL). The laboratory analyzes your product documentation for compliance with FIPS 140-2 requirements. If the product is compliant, the test results are forwarded to the National Institute of Standards and Technology (NIST), which will issue the validation.

What must I do to prepare?

The client seeking certification must submit the required documentation. Some of the client's existing product documentation may be appropriate but there are several documents that must be created by the client or a consultant. Many potential clients are surprised at the real work involved even when they have some of the required material.

What documentation is required?

Required FIPs 140-2 documentation from the client must give enough information to satisfy all the applicable categories of security requirements listed in FIPS 140-2, some of which are applicable to hardware, some to software, and some to both. These categories are:

• Module Source Code
• Test Case Results
• Non-proprietary Security Policy
• User and Crypto-Officer manuals
• Module block diagram
• Module design specification
• Software Source Code
• Correspondence of Module to Security Policy
• Physical Security Summary
• Design Assurance
• Attack Mitigation

In addition, NIST requires that every vendor supply a non-proprietary security policy document with each validated module. A review of the FIPS PUB 140-2, the Derived Test Requirements, and Implementation Guidance will clarify the applicability and requirements of each documentation category.

What if I need help creating some or all of the required documentation?

The SAIC CSTL will recommend the most economical production process for the developers to write documentation that completely satisfies FIPS 140-2 requirements during the initial assessment. We understand that documentation production can be time-consuming, difficult to produce, and costly. The SAIC CSTL will provide strategies in assembling, preparing, or writing the proper documentation.

What happens if my product fails?

SAIC is committed to helping vendors get through the validation process. However, sometimes the module or its documentation does not meet the requirements. If the module under evaluation does not pass the requirements for validation, SAIC will contact the client to discuss corrective action.

What is the cost of testing?

The cost depends on the security level required, completeness of available documentation, nature of the product (hardware vs. software), previous analysis and evaluation of versions of the product, and validation timeline. A cost recovery fee is also charged by NIST for the validation of cryptographic modules. Contact us to schedule a telephone conference, request a rough-order-of-magnitude quote, or a formal proposal.

How long does it take to get certified?

Actual laboratory testing will depend on the required security level and averages between 30 and 90 days. However, documentation is usually an issue as well as the availability of an NIST evaluator. SAIC recommends planning on the total process to take one year.

Visit the web sites below for additional information on cryptographic module validation.

• Cryptographic Module Validation Program

• Security Requirements for Cryptographic Modules (1.4M PDF file*)