FIPS2009
NSS FIPS 140 2009 validation
Softoken is a component of NSS, and has a separate version number. The version of softoken FIPS validated in 2009 is 3.12.4 and is in NSS 3.12.4 and NSS 3.12.5 and NSS 3.12.6. Binaries are available | here.
April 2010 NSS Softoken has finished its validation NSS Certs
The current NSS FIPS validation is available here.
Platforms for 2009/2010
- Level 1
- Windows XP Service Pack 2
- Mac OS X 10.5
- Level 2
- RHEL 5 x86 32 bit
- RHEL 5 x86 64 bit
- Solaris 10 64-bit SPARC v9
- Solaris 10 32-bit SPARC v8+
- Solaris 10 32-bit x86
- Solaris 10 64-bit x86_64
Algorithms
Plan is to validate all FIPS-approved algorithms that NSS implements and NIST has tests for. There are eight such algorithms.
| Algorithms | Key Size | Modes | Certificates |
|---|---|---|---|
| TripleDES | KO 1,2,3 (56,112,168) |
TECB(e/d; KO 1,2,3) |
#822 NSS Extended ECC Build |
| AES | 128/192/256 |
ECB(e/d; 128,192,256) |
#1127 NSS Extended ECC Build |
| SHS (including all variants: SHA-1, SHA-256, SHA-384, and SHA-512) |
SHA-1 (BYTE-only) |
N/A |
#1049 NSS Extended ECC Build |
| HMAC |
HMAC-SHA1, HMAC-SHA256, |
KeySize < BlockSize, |
#637 NSS Extended ECC Build |
| DRBG | N/A |
Hash_DRBG of NIST SP 800-90 |
#17 NSS Extended ECC Build |
| DSA | 512-1024 |
PQG(gen)MOD(1024); |
#367 NSS Extended ECC Build |
| RSA | 1024-8192 |
ALG[RSASSA-PKCS1_V1_5]; SIG(gen); SIG(ver); |
#534 NSS Extended ECC Build |
| ECDSA
(Extended ECC) |
163-571 |
PKG: CURVES( ALL-P ALL-K ALL-B ); |
|
| ECDSA
(Basic ECC) |
256-521 |
PKG: CURVES( ALL-P P-256 P-384 P-521 ); |
Dependant Bugs
| Bug | Description | Completed |
|---|---|---|
Testing Lab
FIPS 140 Information
NIST Cryptographic Module Validation Program
NSS FIPS 140-2 Validation Docs
NSS FIPS 140-2 Validation Docs
FIPS 140-2 Derived Test Requirements (DTR)
FIPS 140-2 Derived Test Requirements (DTR)
Vendor Information
NSS is actively supported and maintained by the following corporations:
Sun Microsystems, Inc.: http://www.sun.com/contact/
Red Hat, Inc.: http://www.redhat.com/about/contact/
Mozilla Foundation, Inc.: http://www.mozilla.org/contact/
Schedule
| Milestone | Item | Deps | Time | Who | Completed |
|---|---|---|---|---|---|
| M1 | Initial Setup | ||||
| 1a | Choose validation Lab, approve costs, and sign NDA | all | all | Atlan | |
| 1d | Define Algorithms, Key Sizes and modes | ||||
| M2 | Complete NSS 3.12 FIPS dependant bugs | ||||
| M3 | Update documentation (numbers in parentheses refer to sections in FIPS documentation) | ||||
| 3a. | (1.0) Security policy, new algorithms | 1d | 2 wks | all | |
| 3b. | Generate annotated source tree (LXR -> HTML) | M2 | |||
| 3c. | (2.0) Finite State Machine | 3b | 3 wks | ||
| 3d. | (3.0/4.0) Cryptographic Module Definition | 3b | 2 wks | ||
| 3e. | (6.0) Software Security (rules-to-code map) | 3b | 2 wks | ||
| 3f. | (8.0) Key Management Generate 20K random #'s | 1 day | |||
| 3g. | (9.0) Cryptographic Algs | 3a | 3 days | ||
| 3h. | (10.0) Operational Test Plan | 1 day | |||
| 3i. | Document architectural changes between 3.2 and 3.11 | 5 days | |||
| M4 | Send docs to testing lab | ||||
| 4a. | Security Policy | all | |||
| 4b. | Finite State Machine | 3c | |||
| 4c. | Module Def. / rules-to-code | 3d,3e | |||
| M5 | Operational validation | ||||
| 5a. | Algorithm testing | 1 month | |||
| 5b. | Operational testing | 3h | 1 week | ||
| 5c | set up machines for Lab to run operational tests on, provide Lab tech with access to machines (last time we both sent a box to the lab and set up a temporary account in the intranet for them) | ||||
| M6 | Internal QA of docs | M2-M5 | 1 week | all | |
| M7 | Communication between NSS team / Lab / NIST about status of validation / algorithm certificates | M1-5 | 3-6 mos | all |