Cryptographic Module Testing Laboratory
   HOME

TheInfoList



Click Here for Items Related To - Cryptographic Module Testing Laboratory
OR:
Cryptographic Module Testing Laboratory on:   [Wikipedia]   [Google]   [Amazon]

{{Short description, Computer security testing laboratory Cryptographic Module Testing Laboratory (CMTL) is an
information technology Information technology (IT) is a set of related fields within information and communications technology (ICT), that encompass computer systems, software, programming languages, data processing, data and information processing, and storage. Inf ...
(IT)
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
testing laboratory that is accredited to conduct cryptographic module evaluations for conformance to the
FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a United States, U.S. government of the United States, government computer security standardization, standard used to approve Cryptographic module, cryptographic ...
U.S. The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 states and a federal capital district, Washington, D.C. The 48 contiguous ...
Government A government is the system or group of people governing an organized community, generally a State (polity), state. In the case of its broad associative definition, government normally consists of legislature, executive (government), execu ...
standard. The
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into Outline of p ...
(NIST)
National Voluntary Laboratory Accreditation Program The National Voluntary Laboratory Accreditation Program (NVLAP), administered by the National Institute of Standards and Technology (NIST) in USA, offers accreditation for testing and calibration laboratories across various fields. NVLAP evaluates ...
(NVLAP) accredits CMTLs to meet
Cryptographic Module Validation Program The Cryptographic Module Validation Program (CMVP) is a joint American and Canadian security accreditation program for cryptographic modules. The program is available to any vendors who seek to have their products certified for use by the U.S. G ...
(CMVP) standards and procedures. This has been replaced b
FIPS 140-2 and the Cryptographic Module Validation Program (CMVP)


CMTL requirements

These laboratories must meet the following requirements: * NIST Handbook 150, NVLAP Procedures and General Requirements * NIST Handbook 150-17 Information Technology Security Testing - Cryptographic Module Testing **NVLAP Specific Operations Checklist for Cryptographic Module Testing


FIPS 140-2 in relation to the Common Criteria

A CMTL can also be a
Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (International Organization for Standardization, ISO/International Electrotechnical Commission, IEC 15408) for co ...
(CC) Testing Laboratory ( CCTL). The CC and FIPS 140-2 are different in the abstractness and focus of evaluation. FIPS 140-2 testing is against a defined cryptographic module and provides a suite of conformance tests to four FIPS 140 security levels. FIPS 140-2 describes the requirements for cryptographic modules and includes such areas as
physical security Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment, and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physi ...
,
key management Key management refers to management of Key (cryptography), cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic ...
, self tests,
roles A role (also rĂ´le or social role) is a set of connected behaviors, rights, obligations, beliefs, and norms as conceptualized by people in a social situation. It is an expected or free or continuously changing behavior and may have a given indi ...
and services, etc. The standard was initially developed in 1994 - prior to the development of the CC. The CC is an evaluation against a
Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provi ...
(PP), or security target (ST). Typically, a PP covers a broad range of products. * A CC evaluation does not supersede or replace a validation to either FIPS 140-1, FIPS140-2 or
FIPS 140-3 The Federal Information Processing Standard Publication 140-3 (FIPS PUB 140-3) is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publica ...
. The four security levels in FIPS 140-1 and FIPS 140-2 do not map directly to specific CC EALs or to CC functional requirements. A CC certificate cannot be a substitute for a FIPS 140-1 or FIPS 140-2 certificate. If the operational environment is a modifiable operational environment, the operating system requirements of the
Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (International Organization for Standardization, ISO/International Electrotechnical Commission, IEC 15408) for co ...
are applicable at FIPS Security Levels 2 and above. * FIPS 140-1 required evaluated operating systems that referenced the
Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TC ...
(TCSEC) classes C2, B1 and B2. However, TCSEC is no longer in use and has been replaced by the Common Criteria. Consequently, FIPS 140-2 now references the Common Criteria.
FIPS 140-2 The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2), is a United States, U.S. government of the United States, government computer security standardization, standard used to approve Cryptographic module, cryptographic ...
or
FIPS 140-3 The Federal Information Processing Standard Publication 140-3 (FIPS PUB 140-3) is a U.S. government computer security standard used to approve cryptographic modules. The title is ''Security Requirements for Cryptographic Modules''. Initial publica ...
validation efforts can be in some parts reused in Common Criteria evaluations, specifically in areas related to
entropy source In computing, a hardware random number generator (HRNG), true random number generator (TRNG), non-deterministic random bit generator (NRBG), or physical random number generator is a device that random number generation, generates random numbers f ...
and cryptographic algorithms.


References


External links


List of CMTLs
from
NIST The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical s ...
Computer security procedures Tests Cryptography