1. Bloombase Cryptographic Module
National Institute of Standards and
Technology (NIST) Federal Information
Processing Standards (FIPS) 140-2
Certification
This Technical White Paper provides background information of NIST FIPS 140-2
certification, and how Bloombase Cryptographic Module has achieved FIPS 140-2
validation, which powers the foundation of Bloombase defense-in-depth security
products and what it means to customers.
3. Table of Contents
Table of Contents 3
Executive Summary 4
Validation Testing and Requirements 4
Cryptographic Module Validation Program (CMVP) 4
Bloombase CMVP Validated Cryptographic Module 5
Cryptographic Algorithm Validation Program (CAVP) 6
Bloombase CAVP Validated Cryptographic Cipher Algorithms 6
Conclusion 8
To Learn More 9
4. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
4
Executive Summary
NIST FIPS 140-2 is one of many cryptographic standards maintained by the Computer Security division of NIST, the
US National Institute for Standards and Technology.
NIST of the United States of America, in conjunction with the Canadian Communications Security Establishment
(CSE) operates the Crypto Module Validation Program (CMVP), through which security products are validated.
In addition, the Cryptographic Algorithm Validation Program (CAVP) encompasses validation testing for FIPS
approved and NIST recommended cryptographic algorithms and components of algorithms. Cryptographic algorithm
validation is a prerequisite to the Cryptographic Module Validation Program (CMVP). Again, the CAVP was
established by NIST and the Communications Security Establishment (CSE).
Validation Testing and Requirements
NVLAP accredited Cryptographic and Security Testing (CST) laboratories perform validation testing of cryptographic
modules. Cryptographic modules are tested against requirements found in FIPS 140-2, Security Requirements for
Cryptographic Modules. Cryptographic module validation testing is performed using the Derived Test Requirements
for FIPS PUB 140-2 document. The document lists all of the vendor and tester requirements for validating a
cryptographic module, and provides the basis of testing performed by the CST accredited laboratories.
Leidos, Inc., formerly Science Applications International Corporation (SAIC), was appointed by Bloombase to perform
testing and validation for both CMVP and CAVP.
Cryptographic Module Validation Program (CMVP)
Prior to May 25, 2002, commercial cryptographic modules were validated for conformance to the FIPS 140-1, Security
Requirements for Cryptographic Modules. Effective May 26, 2002, this standard was superseded by the FIPS 140-2,
Security Requirements for Cryptographic Modules. However, Agencies may continue to purchase, retain and use FIPS
140-1 validated products after May 25, 2002.
The FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module utilized within a
security system protecting protected information.
The standard provides four increasing, qualitative levels of security: Level 1, Level 2, Level 3 and Level 4. These
levels are intended to cover the wide range of potential applications and environments in which cryptographic
modules may be employed.
The security requirements cover 11 areas related to the secure design and implementation of a cryptographic
module. These areas include:
5. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
5
Cryptographic module specification
Module ports and interfaces
Roles, services and authentication
Finite state model
Physical security
Cryptographic key management
Electromagnetic interference/electromagnetic compatibility (EMI/EMC)
Self-tests
Design assurance
Mitigation of other attacks
Operational environment
A FIPS 140-2 validation certificate is issued for each validated module.
An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings
received in the areas with levels, and (2) fulfillment of all the requirements in the other areas.
It is important for vendors and users of cryptographic modules to realize that the overall rating of a cryptographic
module is not necessarily the most important rating. The rating of an individual area may be more important than the
overall rating, depending on the environment in which the cryptographic module will be implemented (this includes
understanding what risks the cryptographic module is intended to address).
Bloombase CMVP Validated Cryptographic Module
Bloombase develops cryptographic products and subsystems which conform to the FIPS 140-2 standard. The
following have been validated under the CVMP as meeting the FIPS 140-2 version of the standard:
Cryptographic module specification: Level 1
Module ports and interfaces: Level 1
Roles, services and authentication: Level 1
Finite state model: Level 1
6. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
6
Physical security: N/A
Cryptographic key management: Level 1
Electromagnetic interference/electromagnetic compatibility (EMI/EMC): Level 1
Self-tests: Level 1
Design assurance: Level 1
Mitigation of other attacks: N/A
Operational environment: Level 1
Bloombase Cryptographic Module has been tested and validated with built-in security hardened Bloombase OS
(formerly Spitfire OS) operating system. Overall, Bloombase Cryptographic Module achieved Level 1 for FIPS 140-2
certification.
Cryptographic Algorithm Validation Program (CAVP)
NIST certifies a list of industry standard cryptographic algorithms in its Cryptographic Algorithm Validation Program
(CAVP) including:
RSA/Digital Signature Standard (DSS): FIPS 186-2 and 186-3
Advanced Encryption Standard (AES): FIPS 197
Keyed-Hash Message Authentication Code (HMAC): FIPS 198
Secure Hash Algorithm Validation System (SHAVS): FIPS 180-3
Random Number Generator Validation System (RNGVS): FIPS 186-2
Bloombase CAVP Validated Cryptographic Cipher
Algorithms
Bloombase Cryptographic Module supports a wide range of encryption cipher algorithms to support the diverse
information security needs with organizational customers in their day-to-day business:
RSA
AES
7. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
7
XTS-AES
3DES
DES
Blowfish
Twofish
RC2
RC4
RC5
RC6
CAST5
CAST6
IDEA
Serpent
Skipjack
Camellia
SEED
ARIA
SM1
along with a number of one-way hash/digest algorithms
SHA-1
SHA-2
MD5
SM3
8. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
8
Bloombase Cryptographic Module supports and has achieved the following CAVP certifications for its FIPS supported
cipher algorithms:
RSA:
o ANSI X9.31 (MOD: 2048, 3072, 4096)
o RSASSA-PKCS1_V1_5: (SIG: 2048, 3072, 4096 withSHS: SHA-256, SHA-384, SHA-512; SIG: 1024,
1536, 2048, 3072, 4096 with SHS: SHA-1, SHA-256, SHA-384, SHA-512)
AES:
o ECB (e/d; 128, 192, 256)
o CBC (e/d; 128, 192, 256)
o CFB8 (e/d; 128, 192, 256)
HMAC:
o HMAC-SHA1
o HMAC-SHA256
o HMAC-SHA384
o HMAC-SHA512
SHAVS:
o SHA-1
o SHA-256
o SHA-384
o SHA-512
RNGVS:
o ANSI X9.31 (AES-128Key, AES-192Key, AES-256Key)
Conclusion
9. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
9
Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and
integrity of the information protected by the module. NIST FIPS 140-2 specifies the security requirements that will be
satisfied by a cryptographic module. FIPS 140-2 defines the baseline requirements and assessment of an encryption
product which provides support to customers when selecting a product to fulfill their security needs. In specific,
federal government agencies and departments require a product to be FIPS 140-2 certified as a basic requirement for
procurement.
Bloombase Cryptographic Module is the core building block of Bloombase information security products delivering
unprecedented strong security encryption services at turnkey application-transparent operation. The CMVP-certified
Bloombase Cryptographic Module with purpose-built CAVP-certified cryptographic algorithms enables
organizational customers to meet stringent security regulatory compliance requirements easily and cost-effectively.
Finally, Bloombase products currently undergoing FIPS 140-2 validation, if any, can be viewed at
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.
To Learn More
1. Computer Security division of NIST, http://csrc.nist.gov/index.html
2. Cryptographic Module Validation Program (CMVP), http://csrc.nist.gov/cryptval/
3. Cryptographic Algorithm Validation Program (CAVP), http://csrc.nist.gov/groups/STM/cavp/
4. Leidos, Inc., https://www.leidos.com/
5. SAIC, http://www.saic.com/
6. FIPS 186-2, 186-3, http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
7. FIPS 197, http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
8. FIPS 198, http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf
9. SHAVS, http://csrc.nist.gov/groups/STM/cavp/documents/shs/SHAVS.pdf
10. RNGVS, http://csrc.nist.gov/groups/STM/cavp/documents/rng/RNGVS.pdf
11. Bloombase Cryptographic Module CMVP FIPS 140-2 validation,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1241
12. Bloombase Cryptographic Module FIPS 140-2 certificate,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1241.pdf
10. Bloombase Cryptographic Module NIST FIPS 140-2 Certification
10
13. Bloombase Cryptographic Module FIPS 140-2 validation security policy,
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1241.pdf
14. Bloombase Cryptographic Module CAVP for RSA,
http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsanewval.html#496
15. Bloombase Cryptographic Module CAVP for AES,
http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#1041
16. Bloombase Cryptographic Module CAVP for HMAC,
http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#583
17. Bloombase Cryptographic Module CAVP for SHA,
http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#991
18. Bloombase Cryptographic Module CAVP for RNG,
http://csrc.nist.gov/groups/STM/cavp/documents/rng/rngval.html#591