Welcome to the Acumen Security Blog

We’re Accredited!

Acumen Security is very excited and proud to announce that we have successfully completed NVLAP accreditation to become a Cryptographic and Security Testing Laboratory (CSTL). This achievement represents not only months of effort by our team to work through the rigorous accreditation process but also the culmination of years of experience within the industry as both a certification lab and a product vendor. Without each unique set of experiences, we are confident that our accreditation would not have gone as smoothly as it did.

We are looking forward to now being able to help companies not only prepare and strategize for their product certifications but also test and provide the certification services themselves. And this is just the beginning, look for more announcements in the coming months as we add to our available services. Up next….Common Criteria Test Lab accreditation. And now for the details:

NVLAP Certificate-page-001

NVLAP Lab Code: 201029-0

Date of accreditation: June 9, 2014

Scope of accreditation:

  • [17BCS]  Basic Cryptographic and Security Testing
  • [17CAV]  Cryptographic Algorithm Validation Testing
  • [17CAV/01]  NIST – Cryptographic Algorithm Validation System (CAVS) for all FIPS-approved and NIST-recommended security functions as required in FIPS PUB 140-2 Annex A (and all superseded versions)
  • [17CMH1]  Cryptographic Modules – Hardware 1 Testing (FIPS 140-2 or successor, Security Level 1 to 3)
  • [17CMH1/01]  All test methods in accordance with FIPS 140-1, except those listed in 17CMH2/01
  • [17CMH1/02]  All test methods in accordance with FIPS 140-2, except those listed in 17CMH2/02 and CAVS
  • [17CMH1]  Cryptographic Modules – Hardware 1 Testing (FIPS 140-2 or successor, Security Level 1 to 3)
  • [17CMH1/01]  All test methods in accordance with FIPS 140-1, except those listed in 17CMH2/01
  • [17CMH1/02]  All test methods in accordance with FIPS 140-2, except those listed in 17CMH2/02 and CAVS
  • [17CMS1]  Cryptographic Modules – Software 1 Testing (FIPS 140-2 or successor, Security Level 1 to 3)
  • [17CMS1/01]  All test methods in accordance with FIPS 140-1, except those listed in 17CMS2/01
  • [17CMS1/02]  All test methods in accordance with FIPS 140-2, except those listed in 17CMS2/02 and CAVS
  • [17CMS2]  Cryptographic Modules – Software 2 Testing (FIPS 140-2 or successor, Security Level 4 and above)
  • [17CMS2/01]  Test methods for Software Security Level 4, in accordance with FIPS 140-1
  • [17CMS2/02]  Test methods for Software Security Level 4, in accordance with FIPS 140-2

Thank you to everyone for all of their support and encouraging words as we have progressed through the accreditation. Now its time to get to work!

 

SP 800-52r1 and it’s impact on FIPS 140-2 certifications

Special Pub 800-52 revision 1 was published at the end of April (April 28th) and is a pretty good document to enhance the readers understanding of the Transport Layer Security (TLS) protocol, the various steps involved in TLS tunnel establishment, the cipher suites supported and best practices for certificate validation. I would highly recommend readers of this blog read also through the document to gain an understanding of TLS or to get a refresher.

The reason to write this blog post though is to point out a requirement in the document that can have a pretty significant impact on current and future FIPS 140-2 validations (and potentially Common Criteria evaluations within the US scheme).

Section 3.1 states that TLS 1.1 is the minimum TLS version that can be configured on servers deployed in Federal government networks (with some caveats). TLS 1.0 (which is the most prevalent version and allowed by FIPS 140-2, currently) is not allowed. Moreover starting January 1, 2015, TLS 1.2 is the only version that will be allowed. Below is the relevant snippet from the special pub:

Servers that support government-only applications shall be configured to support TLS 1.1, and should be configured to support TLS 1.2. These servers shall not support TLS 1.0, SSL 2.0, or SSL 3.0. TLS versions 1.1 and 1.2 are represented by major and minor number tuples (3, 2) and (3, 3), respectively7. Agencies shall develop migration plans to support TLS 1.2 by January 1, 2015.
Servers that support citizen or business-facing applications shall be configured to support version 1.1 and should be configured to support version 1.2. These servers may also be configured to support TLS version 1.0 in order to enable interaction with citizens and businesses. These servers shall not support SSL version 3.0 or earlier. If TLS 1.0 is supported, the use of TLS 1.1 and 1.2 shall be preferred over TLS 1.0.

This is a significant requirement should CMVP start enforcing this restriction as part of FIPS 140-2 validations. TLS 1.1 support is not very prevalent. The support for TLS 1.2 is even less and Jan 1st is not very far away.

Acumen is contacting CMVP to receive clarification on their stance regarding TLS versions allowed in FIPS mode of operation going forward. We will update this post once we receive any information from the CMVP. In the meantime our strong recommendation would be to put support of TLS 1.2 into your development plan. It will not only head off any sudden change in requirements from CMVP but also help in Common Criteria evaluation (TLS 1.2 is the only version that supports the Suite B class of crypto algorithms and something that NIAP also wants to move to ASAP).
Bottom Line: Don’t change any plans for in-flight evaluations however put TLS 1.2 on the immediate product roadmap as an insurance policy and for future proofing.

Update 6/18/14: We heard back from NIST and all is good. They have indicated that SP 800-52r1 is a recommendation for TLS deployment for Federal agencies however FIPS 140-2 will continue allowing TLS v1.0 as long as the implementation uses FIPS approved cryptographic algorithms/primitives. The reasoning given is that FIPS validation is for approved algorithms and not necessarily the protocols.

The above update not withstanding, Acumen’s recommendation in the original post still stands. Given where the security industry is going, and requirement for Suite B crypto in a number of national security accounts it would make imminent sense to start implementing TLS 1.2 in future product releases. Please feel free to leave a comment or send email to info(at)acumensecurity(dot)net if you have any questions.