It is suggested folks take a very close look at the whole CMVP/CAVP Requirements Process [1], [2] to better understand what each requirement is and the implications to NIST / CST Lab / Vendor Resources and hence the timeline.
Brief comments inline to clarify/correct previous statements....
On Oct 10, 2011, at 11:30 AM, Link, Peter R. wrote:
William,
I know you'll be reading Shawn's response but your initial email announced information that was several months old. The website you found was simply a holding spot for tracking the approval status of encryption algorithms.
There is no concept of a holding spot for tracking the approval status of encryption algorithms - They pass or fail. What was referenced were the actual Algorithm Validation Certificates for all of the algorithms validated in a module which would then be submitted for Conformance Validation against FIPS 140-2 through CMVP. Many more _modes_ were covered here than were available in the CDSA/CSP Module Validation used in OS X 10.6.
AES - iPhone 4 - CommonCrypto
AES - iPad2 - CommonCrypto
TDES - iPone4 - CommonCrypto
TDES - iPad2 - CommonCrypto
RSA - iPone4 - CommonCrypto
RSA - iPad2 - CommonCrypto
ECDSA - iPone4 - CommonCrypto
ECDSA - iPad2 - CommonCrypto
SHS - iPone4 - CommonCrypto
SHS - iPad2 - CommonCrypto
DRBG - iPone4 - CommonCrypto
DRBG - iPad2 - CommonCrypto
HMAC - iPone4 - CommonCrypto
HMAC - iPad2 - CommonCrypto
That is important information to know. As for the time it takes for FIPS certification, that all depends on how well prepared the company is in delivering information to the Lab doing the testing.
1) Testing Lab delivers _Test Vectors_ to the Vendor for generating Responses
2) Vendor delivers _Vector Responses_ to the Testing Lab
3) Testing Lab provides results - Pass / Fail
You can use statistics to come up with a mean approval time but it also has a lot to do with the original request.
Algorithm validation uses the Vector Response provided by the Vendor -- Testing Lab processes in a few minutes.
The time it takes between Certification of Algorithms and Module Certification has far too many variables to draw that kind of conclusion.
Requests for approval of very simple mechanisms can go faster while something like Apple (OSX) FIPS certification is a much more involved process because the number of algorithms used is much more.
The number of algorithms does not directly correspond to longer validation times.
It is directly related to: CMVP Backlog, Complexity of the Cryptographic Module boundary, Validation v. Re-validation, etc...
The original Apple FIPS certification included more than a dozen (can't remember the exact number) algorithms combined into one huge module
CDSA/CSP Algorithms Validated
while, again if I remember correctly, the iPhone module is much smaller and uses far fewer encryption algorithms, therefore, the hope is it will receive FIPS certification quicker. Of course, we're talking about a government process so all bets are off......
iPhone / iPad (yes, two separate modules) actually covers less Algorithms, but many, many more 'modes' of some algorithms. Plus, iOS devices have Hardware involved which makes the boundary of the cryptographic module much larger. Neither of these factors really impacts the validation process time by much at all.
On Oct 10, 2011, at 8:01 AM, Mr. William G. Cerniuk wrote:
For racing fans, there may be value. It perhaps announces that the certification of the cryptographic module is closer to the potential finish line.
Validation of Algorithms does not indicate that the Module Validation is any closer to the finish line or not. Validation of Algorithms is a pre-requisite to achieving Module Validation. For your racing fans analogy, it would equate to the competition car passing pre-race inspection -- passed inspection just means it can now compete, but not that it is closer, per se, to the finish line.
Looking at the time between when an algorithm is certified to when the containing module is certified gives an idea of the range of time it takes to get the module (tire) on the 'information super highway' once the algorithm (tread design) is certified.
The time it takes between Certification of Algorithms and Module Certification has far too many variables to draw that kind of conclusion. One significant and unpredictable variable in the Module Certification time is the backlog (queue) that exists at NIST/CMVP for the review and approval of a module.
The CDSA/CSP module sat in a queue for ~6 months without any review. With products significantly changing every ~12/15 months, a process with a backlog like this is just not realistic with today's technology. FIPS 140-3 has been in DRAFT form since July 13, 2007.
For example, see on the algorithm certification page #1400, "Apple FIPS Cryptographic Module Version 1.0" The algorithm was certified 6/14/2010.
It is not "Algorithm", but rather "Algorithms" used within the module. Not all Algorithms in the module were FIPS Validated.
Then cross reference the FIPS certification #1514 for "Apple FIPS Cryptographic Module Version 1.0" certified on 03/09/2011.
Validation of the CDSA/CSP Cryptographic Module in Mac OS X 10.6 identified as - "Apple FIPS Cryptographic Module Version 1.0"
Note that neither Mac OS X nor its Apps/Services are FIPS 140-2 Validated, but rather the Crypto Module is validated. Applications and Services that use a FIPS 140-2 Conformance Validated Module can then claim compliance for the handling of sensitive data.
(links below) This is roughly 9 months from certification of the algorithm to certification of the module. The period between algorithm cert to module cert seems to be between 5 months to 11 months based upon a random sampling.
The time it takes between Certification of Algorithms and Module Certification has far too many variables to draw that kind of conclusion.
Cryptographic Module Validation Program : FIPS 140-1 and FIPS 140-2 Modules in Process List