1 / 21

Centre for Applied Cryptographic Research workshop, Nov. 8, 1999

Centre for Applied Cryptographic Research workshop, Nov. 8, 1999. Third party evaluations of CA cryptographic implementations Speakers: Les Biggs Pat Lareau November 8, 1999. What a cryptomodule provides the CA. Secure, trusted cryptographic services

rey
Download Presentation

Centre for Applied Cryptographic Research workshop, Nov. 8, 1999

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Centre for Applied Cryptographic Research workshop, Nov. 8, 1999 Third party evaluations of CA cryptographic implementations Speakers: Les Biggs Pat Lareau November 8, 1999

  2. What a cryptomodule provides the CA • Secure, trusted cryptographic services • Key and certificate management services • Physical protection of: • sensitive data (e.g. keys) • cryptographic and certificate management functions • Enforcement of the CA’s security policy

  3. What FIPS 140-1 certification provides the CA: Assurance • That the cryptomodule implements its security policy • That sound cryptographic processes are employed • That cryptographic processes are correctly implemented • That Non-cryptographic processes are implemented as specified (Optional)

  4. Critical areas addressed by FIPS 140-1 • Key generation and management services • Algorithm security • Access control • Interface control • Physical protection for data and functions • "Health" monitoring mechanisms • EM emanations • Assurance that the design implements the spec

  5. FIPS 140-1 Security Levels Level 4-Envelope protectionEnvironmental protection, Formal Modeling Increasing Security Level 3 Enhanced physical security, identity-based authentication Level 2 Tamper evidence, role-based authentication Level 1 Basic security requirements

  6. Evaluation Vs Verification Vs Certification • Evaluation • A self-guided examination of device characteristics by a tester with credentials acceptable to the sponsor • Verification • A self-guided process for verifying compliance to a standard by a tester with credentials acceptable to the sponsor • Certification • A formal, standardized testing process, performed by an accredited laboratory, to validate claimed compliance to an official standard

  7. ModuleDocumentation Physical Product ValidationTesting ValidationPlan Report Generation Submit Report to NIST/CSE Validation Process Steps

  8. Module Documentation Physical Product ValidationTesting ValidationPlan Report Generation Submit Report to NIST/CSE Validation Process Steps

  9. Module Documentation Physical Product ValidationTesting ValidationPlan Report Generation Submit Report to NIST/CSE Validation Process Steps

  10. Module Documentation Physical Product ValidationTesting ValidationPlan Report Generation Submit Report to NIST/CSE Validation Process Steps

  11. Relative roles and positioning of FIPS 140-1 and CC in CA evaluations • FIPS is a detailed specification • CC provides a language for developing specifications • FIPS is a specific, detailed testing process • CC provides a process for developing test requirements

  12. Relative roles and positioning, cont’ • FIPS addresses core cryptographic requirements • CC addresses system wide security objectives (may reference FIPS in the protection profile) • FIPS is mandated as an outgrowth of US federal law • CC is voluntary on an international scale

  13. Other critical CA processes may also be protected by the cryptomodule • Cryptomodule can be at the center of the CA, enforcing security rules • Cert database protection from modification and substitution • Secure, strong database access control • Secure database management • secure, authenticated CA and database communications/exchanges

  14. FIPS 140-1 naturally extends to non-federal sectors • USPS • DOD • Banking • Point of sale/credit card • International support

  15. Snapshot program status • Number of certifications • Certifications by Level • Certification levels Vs Time • Physical configurations

  16. FIPS 140-1 Certifications

  17. Certifications by Level

  18. Certification Level Vs Time

  19. Physical Configuration

  20. Module cost • Levels 1 thru 3 gradually increase in cost • $100 to $ 800 range • Big jump at level 4 • $2,000 range • Security levels should scale with CA’s level in the PKI

  21. What we want to leave with you today • FIPS is not just crypto, it is a way of thinking about a problem • FIPS cryptomodules can implement and protect more than crypto • What distinguishes FIPS from other processes

More Related