NIST SP800-29.pdf下载

Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. Adequate testing and validation of the cryptographic module against established standards is essential for security assurance. Both Federal agencies and the public benefit from the use of tested and validated products. Without adequate testing, weaknesses such as poor design, weak algorithms, or incorrect implementation of the cryptographic module, can result in insecure products. On July 17, 1995, NIST established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-1 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada. Products validated as conforming to FIPS 140-1 are accepted by the Federal agencies of both countries for the protection of sensitive information. Vendors of cryptographic modules use independent, accredited testing laboratories to test their modules. NIST’s Computer Security Division and CSE jointly serve as the validation authorities for the program, validating the test results. Currently, there are several National Voluntary Laboratory Accreditation Program (NVLAP) accredited laboratories that perform FIPS 140-1 compliance testing. These labs are listed at the web site: http://csrc.nist.gov/cryptval. As of January 2001 over 150 cryptographic modules from more than forty separate vendors have been validated through the program. The number of validated modules has nearly doubled each year of the program’s existence. The underlying philosophy of the CMVP is that the user community needs strong independently tested and commercially available cryptographic products. The CMVP must also work with the commercial sector and the cryptographic community to achieve security, interoperability and assurance. Directly associated with this philosophy is the goal of the CMVP to promote the use of validated products and provide Federal agencies with a security metric to use in procuring cryptographic modules. The testing performed by accredited laboratories provides this metric. Federal agencies, industry, and the public can choose products from the CMVP Validated Modules List and have confidence that the products meet the claimed level of security. The program validates a wide variety of modules including general encryption products, secure radios, Virtual Private Network (VPN) devices, Internet browsers, cryptographic tokens and modules that support Public Key Infrastructure (PKI). Currently, validation services are provided for FIPS 140-1 & 2, the Data Encryption Standard (DES and Triple DES), the Digital Signature Standard, the Secure Hash Standard, and the Skipjack Algorithm. The CMVP offers a documented methodology for conformance testing through a defined set of security requirements in FIPS 140-1&2 and other cryptographic standards. NIST developed the standard and an associated metric (the Derived Test Requirements for FIPS 140-1) to ensure repeatability of tests and equivalency in results across the testing laboratories. The five commercial laboratories provide vendors of cryptographic modules a choice of testing facilities and promotes healthy competition. (Note, there is no limit to the number of testing laboratories, and additional testing laboratories may be added to the program.)