FIPS 140-3 Compliance Overview

Questions and Answers

What is required if the IUT relies on the EVM for one or more FIPS 140-3 requirements?

The EVM must be fully tested before IUT validation.

The IUT submission must demonstrate compliance without being non-compliant to any other requirements. (correct)

The IUT must independently meet all FIPS 140-3 requirements.

The IUT cannot utilize any external modules.

Regarding the relationship between the IUT and EVM, what is true about their operational environments?

The IUT and EVM must operate on different tested environments.

The IUT's environment must be more secure than that of the EVM.

The tested environments must be the same or one must be within the other's. (correct)

The IUT can operate in any environment without restrictions.

What must be considered when moving or establishing sensitive security parameters (SSPs) between the IUT and EVM?

The boundaries must comply with ISO/IEC 19790:2012 specified sections. (correct)

The EVM's parameters take precedence over those of the IUT.

Only the IUT's boundaries are relevant for SSP handling.

No special considerations apply, as SSPs are interchangeable.

What is a requirement regarding the security level of the EVM when bound to the IUT?

The EVM must be at least as high as the IUT for most FIPS 140-3 sections.

What is true about the revalidation of the EVM during the IUT validation process?

The EVM does not need to be tested again during IUT validation.

What happens if an IUT is submitted for validation while the associated EVM has moved to the historical list?

The IUT will also become historical once validation is completed.

Which of the following requirements must be fulfilled if the EVM security level is lower than that of the IUT?

The lab/vendor must demonstrate the EVM meets the higher security level requirements.

What is a critical limitation for a FIPS 140-3 IUT regarding FIPS 140-2 EVMs?

An IUT cannot embed or bind to a FIPS 140-2 EVM.

During IUT submission to the CMVP, which of the following is essential for the EVM status?

The EVM status must be Active.

What must an IUT do to use an EVM service or algorithm in its documentation after an algorithm transition?

Only use EVM services that are approved at the time of IUT submission.

Study Notes

Software, Firmware, and Hybrid Modules

• IUT (Implementation Under Test) and EVM (Evaluated Virtual Machine) must operate in identical or nested operational environments during testing.
• If IUT relies on EVM to fulfill FIPS 140-3 requirements, the test report must clearly demonstrate compliance without violating other FIPS requirements.
• Boundaries between IUT and EVM need careful delineation; reliance on external controls must not introduce non-compliance.

Sensitive Security Parameters

• Sensitive security parameters (SSPs) shifted between IUT and EVM must comply with specific ISO/IEC standards concerning secure entry and establishment.
• The movement of SSPs across cryptographic boundaries necessitates strict adherence to security protocols to maintain security integrity.

EVM Testing Requirements

• EVM does not require retesting during IUT validation; however, the IUT must undergo comprehensive testing.
• For bound modules, EVM must be equal to or exceed IUT's security level across all FIPS sections, with exceptions for "Mitigation of Other Attacks".

Historical Status and Submission Requirements

• Historical validation status of EVM is inherited by the IUT if EVM is moved to a historical list; a module can also become historical due to algorithm transitions.
• EVM must maintain an Active status during IUT submission to the CMVP (Cryptographic Module Validation Program).
• IUT cannot embed or bind to a FIPS 140-2 EVM, ensuring all components are FIPS 140-3 compliant.

Algorithm Certificate Testing

• Algorithms in PAA (Primary Application Area) and PAI (Policy Application Interface) environments must be tested for approval from both software/firmware and PAA/PAI perspectives.
• Hybrid modules support only PAA/PAI or can be classified as software/firmware if tested with and without PAA/PAI.

Module Testing Approaches

• Testing for modules can be conducted with options that include:
  • Validating both modes (with PAA/PAI and without) on the same operational environment.
  • Testing a hybrid module with PAA/PAI across all operational environments supported, ensuring all combinations are validated.

RSA Signature Generation Testing

• The RSASP1 component of RSA must be tested for all modulus lengths where CAVP (Cryptographic Algorithm Validation Program) testing is applicable, particularly for 2048, 3072, and 4096-bit lengths.

ECDSA Signature Generation

• ECDSA signature generation may use pre-hashed messages to streamline the process, following protocols established in FIPS 186-5.
• It emphasizes that no additional hashing should occur during the ECDSA signing to maintain consistency.

Key Derivation Functions (KDF)

• KDFs from various standards (IKEv1, IKEv2, TLS, etc.) must be employed strictly within their designated protocols to ensure proper functionality.
• Each KDF is assigned a specific algorithm/mode/revision combination for identification within the CAVP framework.

TLS 1.3 Key Derivation

• The TLS 1.3 KDF, based on established NIST-approved standards, is validated under specific sections, ensuring that the functions align with contemporary cryptographic requirements.

Description

This quiz covers the essential aspects of FIPS 140-3 compliance, focusing on the interaction between the Implementation Under Test (IUT) and the Evaluation Measurement Module (EVM). Understanding the operational environments and requirements applicable to software, firmware, and hybrid modules is crucial for ensuring compliance. Test Report submissions are also discussed.