Comments on: Draft of FIPS186-3 released for public comment http://d-kriptik.com/blog/2006/03/15/draft-of-fips186-3-released-for-public-comment/ Bridging the technology gap between techies and everyone else. Mon, 29 Mar 2010 23:39:43 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Quickies – FIPS 186-3 etc., other notes, metro, etc. « D-kriptik Blog http://d-kriptik.com/blog/2006/03/15/draft-of-fips186-3-released-for-public-comment/comment-page-1/#comment-69388 Quickies – FIPS 186-3 etc., other notes, metro, etc. « D-kriptik Blog Wed, 30 Sep 2009 15:55:11 +0000 http://d-kriptik.com/blog/2006/03/15/draft-of-fips186-3-released-for-public-comment/#comment-69388 [...] commented on an early draft here and mentioned a later draft [...] [...] commented on an early draft here and mentioned a later draft [...]

]]> By: Ray Potter http://d-kriptik.com/blog/2006/03/15/draft-of-fips186-3-released-for-public-comment/comment-page-1/#comment-440 Ray Potter Fri, 17 Mar 2006 03:56:51 +0000 http://d-kriptik.com/blog/2006/03/15/draft-of-fips186-3-released-for-public-comment/#comment-440 Here's my take on the questions above: 1. When will this become a law? Will there be a transition period? What will be the impact to my DSA, RSA, ECDSA implementation? This will become effective after NIST has finalized the draft and completed additional due diligence through cryptanalysis. There will likely be a transition period (just as there was one for the withdrawal of DES). Modules with existing 186-2 implementations will not be affected; their FIPS 140-1 or 140-2 certificates will remain valid. It will mean that product vendors will need to incorporate the new implementation via custom coding or incorporation of a crypto lib. 2. What will this mean to FIPS 140 validations where digital signatures are involved? Will it effect products already validated? Will it effect validation efforts in process? How will it effect future validation efforts? It won't affect currently validated modules. Depending on the transition/implementation timelines, it may affect those in process. Watch the NIST CMVP site for details on transition periods. 3. Does this impact algorithm testing efforts? NIST CMVP will likely require algorithm testing through the CAVP to verify conformance. As the standard is finalized, NIST will provide this guidance. 4. You mentioned additional rigor in the CMVP - is that really true? Are FIPS 140-2 validation becoming more intensive? Will a FIPS 140-3 validation be more effort than a FIPS 140-2 validation? As FIPS 140-2 has evolved through implementation guidance, one could make the argument that validations have become more rigorous. One could also make the argument that FIPS 140-2 validations have become cleaner and less subjective because of the increase in guidance and precedence. YMMV 5. Speaking of FIPS 140-3, any news on this front? If it is coming down the pipe soon, should I hold off FIPS 140 validation until it is ready, or should I do the opposite and avoid the kinks/rigor of FIPS 140-3? Contact the CMVP. There are many rumors floating around, and it's best to take guidance from either an accredited lab or (preferably) from NIST CMVP directly. Whether you should validate under 140-2 now or wait for 140-3 comes down to basic principles of customer demand and business case. Every situation is unique. Do your due diligence. That's essentially how I advise my clients anyway (of course, with much more detail and formal evaluation and strategic plans, but this is no place to advertise). If I were still running the program at Cisco, I know what I would do... Andrew, feel free to correct me or add other insights... Here’s my take on the questions above:

1. When will this become a law? Will there be a transition period? What will be the impact to my DSA, RSA, ECDSA implementation?

This will become effective after NIST has finalized the draft and completed additional due diligence through cryptanalysis. There will likely be a transition period (just as there was one for the withdrawal of DES). Modules with existing 186-2 implementations will not be affected; their FIPS 140-1 or 140-2 certificates will remain valid. It will mean that product vendors will need to incorporate the new implementation via custom coding or incorporation of a crypto lib.

2. What will this mean to FIPS 140 validations where digital signatures are involved? Will it effect products already validated? Will it effect validation efforts in process? How will it effect future validation efforts?

It won’t affect currently validated modules. Depending on the transition/implementation timelines, it may affect those in process. Watch the NIST CMVP site for details on transition periods.

3. Does this impact algorithm testing efforts?

NIST CMVP will likely require algorithm testing through the CAVP to verify conformance. As the standard is finalized, NIST will provide this guidance.

4. You mentioned additional rigor in the CMVP – is that really true? Are FIPS 140-2 validation becoming more intensive? Will a FIPS 140-3 validation be more effort than a FIPS 140-2 validation?

As FIPS 140-2 has evolved through implementation guidance, one could make the argument that validations have become more rigorous. One could also make the argument that FIPS 140-2 validations have become cleaner and less subjective because of the increase in guidance and precedence. YMMV

5. Speaking of FIPS 140-3, any news on this front? If it is coming down the pipe soon, should I hold off FIPS 140 validation until it is ready, or should I do the opposite and avoid the kinks/rigor of FIPS 140-3?

Contact the CMVP. There are many rumors floating around, and it’s best to take guidance from either an accredited lab or (preferably) from NIST CMVP directly. Whether you should validate under 140-2 now or wait for 140-3 comes down to basic principles of customer demand and business case. Every situation is unique. Do your due diligence. That’s essentially how I advise my clients anyway (of course, with much more detail and formal evaluation and strategic plans, but this is no place to advertise). If I were still running the program at Cisco, I know what I would do…

Andrew, feel free to correct me or add other insights…

]]>