Welcome to the Acumen Security Blog

Archives for March 2015

CMVP RNG Transition

The CMVP has issued guidance for vendors regarding the upcoming RNG transition (http://csrc.nist.gov/groups/STM/cmvp/notices.html). For those that do not know, starting January 1, 2015 the “old” Deterministic Random Number Generator (ANSI X9.31 Appendix A.2.4 RNG) will no longer be considered an approved Deterministic Random Number Generator. At that point, the only approved Deterministic Random Number Generators will be the ones specified in SP 800-90A. The following is the guidance from the CMVP,


The Cryptographic Technology Group at NIST has confirmed the transition schedule for RNGs (e.g., the X9.31 RNG) provided in SP 800-131A. Accordingly, when the transition takes place the CMVP will proceed as follows:

  • Validated modules on the CMVP validation lists: The CMVP will move the X9.31 RNG listings from the approved to the non-approved line on all affected FIPS 140-2 module certificates. If after removing the RNG’s from the approved line there is at least one remaining approved algorithm, the module certificate will not be revoked. A module transition note may also be provided, similar to the notes for the end-of-2013 algorithm transitions.
  • Modules on the CMVP queue
    • REVIEW PENDING or IN REVIEW: The laboratories/vendors will be asked to provide an updated submission that is fully compliant with the transition. Only compliant submission will be validated.
    • COORDINATION: These module submissions will be handled like those in the REVIEW PENDING or IN REVIEW case.
    • FINALIZATION: These module submissions will be handled like already validated modules.
  •  1/2/4 SUBs for validated modules on the CMVP validation lists: When an updated Security Policy is submitted it will be required to comply with the transition.


This transition is being handled in a manner very similar to how other algorithm transitions have been handled in the past. For vendors that are still have modules using ANSI X9.31 RNGs, now is the time to get the new RNGs into your products. The CMVP queue is about 6 months long. So, time is running out.

Its here! The new NDcPP (and a number of others) are listed on Common Criteria Portal

Congratulations to the Common Criteria community as a whole! On Friday, February 27, the first ever collaborative Protection Profiles (cPPs) were released publicly. These include,

  • collaborative Protection Profile for Full Drive Encryption – Encryption Engine v1.0
  • collaborative Protection Profile for Full Drive Encryption – Authorization Acquisition v1.0
  • collaborative Protection Profile for Stateful Traffic Filter Firewalls v1.0
  • collaborative Protection Profile for Network Devices v1.0

This is a very important step for the Common Criteria as a whole because these Protection Profiles represent the future of CC.

Acumen has taken an active part in the development of several of these PPs. In particular, we have been a part of the NDcPP iTC (international Technical Community) since its inception. While the overall structure of the cPP remains similar to that of the NIAP NDPP, there are a number of key differences that will likely necessitate changes in products that have been evaluated against the NIAP NDPP if they want to also be evaluated against NDcPP. The following changes are examples of changes that may lead to the need for development on products wishing to be validated against the NDcPP,

  • Extensive updates to zeroization requirements, including, read/verify requirements for most media
  • Requiring FIPS 186-4 for all asymmetric cryptography
  • Removing the option to use a simple hash as a software integrity update mechanism

As a first step for vendors, Acumen has performed an analysis comparing the NDcPP to the NIAP NDPP and created a White Paper (http://www.acumensecurity.net/ndpp-vs-ndcpp/) to help vendors prepare as schemes move away from validating against the NIAP NDPP and start validating against the NDcPP. The White Paper provides a description of the differences between PPs on an SFR by SFR basis.

We hope you find it helpful. If you have any questions or comments on the content of our paper, please stop by, call, or send up an email. We love to chat!

Also, if you are interested in the potential future direction of FIPS 140, don’t forget to check out our FIPS 140-2 vs ISO 19790 White Paper.

And finally don’t forget to follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.