Bloombase Cryptographic Module National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 Certification

This Technical White Paper provides background information of NIST FIPS 140-2

certification, and how Bloombase Cryptographic Module has achieved FIPS 140-2

validation, which powers the foundation of Bloombase defense-in-depth security

products and what it means to customers.

This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people and events depicted herein are fictitious and no association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Bloombase.

Bloombase may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Bloombase, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

This document is the property of Bloombase. No exploitation or transfer of any information contained herein is permitted in the absence of an agreement with Bloombase, and neither the document nor any such information may be released without the written consent of Bloombase.

© 2010 Bloombase, Inc. All rights reserved. Bloombase and its affiliates cannot be responsible for errors or omissions in typography or photography. Bloombase, Spitfire, StoreSafe are either registered trademarks or trademarks of Bloombase, Inc. in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Document No.: BLBS-TN-Bloombase-Cryptographic-Module-NIST-FIPS-140-2-Certification-USLET-EN-R2

Table of Contents Table of Contents 3

Executive Summary 4

Validation Testing and Requirements 4

Cryptographic Module Validation Program (CMVP) 4

Bloombase CMVP Validated Cryptographic Module 5

Cryptographic Algorithm Validation Program (CAVP) 6

Bloombase CAVP Validated Cryptographic Cipher Algorithms 6

Conclusion 8

To Learn More 9

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

4

Executive Summary NIST FIPS 140-2 is one of many cryptographic standards maintained by the Computer Security division of NIST, the

US National Institute for Standards and Technology.

NIST of the United States of America, in conjunction with the Canadian Communications Security Establishment

(CSE) operates the Crypto Module Validation Program (CMVP), through which security products are validated.

In addition, the Cryptographic Algorithm Validation Program (CAVP) encompasses validation testing for FIPS

approved and NIST recommended cryptographic algorithms and components of algorithms. Cryptographic algorithm

validation is a prerequisite to the Cryptographic Module Validation Program (CMVP). Again, the CAVP was

established by NIST and the Communications Security Establishment (CSE).

Validation Testing and Requirements NVLAP accredited Cryptographic and Security Testing (CST) laboratories perform validation testing of cryptographic

modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for

Cryptographic Modules. Cryptographic module validation testing is performed using the Derived Test Requirements

for FIPS PUB 140-2 document. The document lists all of the vendor and tester requirements for validating a

cryptographic module, and provides the basis of testing performed by the CST accredited laboratories.

Leidos, Inc., formerly Science Applications International Corporation (SAIC), was appointed by Bloombase to perform

testing and validation for both CMVP and CAVP.

Cryptographic Module Validation Program (CMVP) Prior to May 25, 2002, commercial cryptographic modules were validated for conformance to the FIPS 140-1, Security

Requirements for Cryptographic Modules. Effective May 26, 2002, this standard was superseded by the FIPS 140-2,

Security Requirements for Cryptographic Modules. However, Agencies may continue to purchase, retain and use FIPS

140-1 validated products after May 25, 2002.

The FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a

security system protecting protected information.

The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3 and Level 4. These

levels are intended to cover the wide range of potential applications and environments in which cryptographic

modules may be employed.

The security requirements cover 11 areas related to the secure design and implementation of a cryptographic

module. These areas include:

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

5

Cryptographic module specification

Module ports and interfaces

Roles, services and authentication

Finite state model

Physical security

Cryptographic key management

Electromagnetic interference/electromagnetic compatibility (EMI/EMC)

Self-tests

Design assurance

Mitigation of other attacks

Operational environment

A FIPS 140-2 validation certificate is issued for each validated module.

An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings

received in the areas with levels, and (2) fulfillment of all the requirements in the other areas.

It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic

module is not necessarily the most important rating. The rating of an individual area may be more important than the

overall rating, depending on the environment in which the cryptographic module will be implemented (this includes

understanding what risks the cryptographic module is intended to address).

Bloombase CMVP Validated Cryptographic Module Bloombase develops cryptographic products and subsystems which conform to the FIPS 140-2 standard. The

following have been validated under the CVMP as meeting the FIPS 140-2 version of the standard:

Cryptographic module specification: Level 1

Module ports and interfaces: Level 1

Roles, services and authentication: Level 1

Finite state model: Level 1

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

6

Physical security: N/A

Cryptographic key management: Level 1

Electromagnetic interference/electromagnetic compatibility (EMI/EMC): Level 1

Self-tests: Level 1

Design assurance: Level 1

Mitigation of other attacks: N/A

Operational environment: Level 1

Bloombase Cryptographic Module has been tested and validated with built-in security hardened Bloombase OS

(formerly Spitfire OS) operating system. Overall, Bloombase Cryptographic Module achieved Level 1 for FIPS 140-2

certification.

Cryptographic Algorithm Validation Program (CAVP) NIST certifies a list of industry standard cryptographic algorithms in its Cryptographic Algorithm Validation Program

(CAVP) including:

RSA/Digital Signature Standard (DSS): FIPS 186-2 and 186-3

Advanced Encryption Standard (AES): FIPS 197

Keyed-Hash Message Authentication Code (HMAC): FIPS 198

Secure Hash Algorithm Validation System (SHAVS): FIPS 180-3

Random Number Generator Validation System (RNGVS): FIPS 186-2

Bloombase CAVP Validated Cryptographic Cipher Algorithms Bloombase Cryptographic Module supports a wide range of encryption cipher algorithms to support the diverse

information security needs with organizational customers in their day-to-day business:

RSA

AES

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

7

XTS-AES

3DES

DES

Blowfish

Twofish

RC2

RC4

RC5

RC6

CAST5

CAST6

IDEA

Serpent

Skipjack

Camellia

SEED

ARIA

SM1

along with a number of one-way hash/digest algorithms

SHA-1

SHA-2

MD5

SM3

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

8

Bloombase Cryptographic Module supports and has achieved the following CAVP certifications for its FIPS supported

cipher algorithms:

RSA:

o ANSI X9.31 (MOD: 2048, 3072, 4096)

o RSASSA-PKCS1_V1_5: (SIG: 2048, 3072, 4096 withSHS: SHA-256, SHA-384, SHA-512; SIG: 1024,

1536, 2048, 3072, 4096 with SHS: SHA-1, SHA-256, SHA-384, SHA-512)

AES:

o ECB (e/d; 128, 192, 256)

o CBC (e/d; 128, 192, 256)

o CFB8 (e/d; 128, 192, 256)

HMAC:

o HMAC-SHA1

o HMAC-SHA256

o HMAC-SHA384

o HMAC-SHA512

SHAVS:

o SHA-1

o SHA-256

o SHA-384

o SHA-512

RNGVS:

o ANSI X9.31 (AES-128Key, AES-192Key, AES-256Key)

Conclusion

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

9

Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and

integrity of the information protected by the module. NIST FIPS 140-2 specifies the security requirements that will be

satisfied by a cryptographic module. FIPS 140-2 defines the baseline requirements and assessment of an encryption

product which provides support to customers when selecting a product to fulfill their security needs. In specific,

federal government agencies and departments require a product to be FIPS 140-2 certified as a basic requirement for

procurement.

Bloombase Cryptographic Module is the core building block of Bloombase information security products delivering

unprecedented strong security encryption services at turnkey application-transparent operation. The CMVP-certified

Bloombase Cryptographic Module with purpose-built CAVP-certified cryptographic algorithms enables

organizational customers to meet stringent security regulatory compliance requirements easily and cost-effectively.

Finally, Bloombase products currently undergoing FIPS 140-2 validation, if any, can be viewed at

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.

To Learn More 1. Computer Security division of NIST, http://csrc.nist.gov/index.html

2. Cryptographic Module Validation Program (CMVP), http://csrc.nist.gov/cryptval/

3. Cryptographic Algorithm Validation Program (CAVP), http://csrc.nist.gov/groups/STM/cavp/

4. Leidos, Inc., https://www.leidos.com/

5. SAIC, http://www.saic.com/

6. FIPS 186-2, 186-3, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf

7. FIPS 197, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

8. FIPS 198, http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf

9. SHAVS, http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf

10. RNGVS, http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf

11. Bloombase Cryptographic Module CMVP FIPS 140-2 validation,

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1241

12. Bloombase Cryptographic Module FIPS 140-2 certificate,

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1241.pdf

Bloombase Cryptographic Module NIST FIPS 140-2 Certification

10

13. Bloombase Cryptographic Module FIPS 140-2 validation security policy,

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1241.pdf

14. Bloombase Cryptographic Module CAVP for RSA,

http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsanewval.html#496

15. Bloombase Cryptographic Module CAVP for AES,

http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#1041

16. Bloombase Cryptographic Module CAVP for HMAC,

http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#583

17. Bloombase Cryptographic Module CAVP for SHA,

http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#991

18. Bloombase Cryptographic Module CAVP for RNG,

http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html#591