Cryptographic Module Validation Program CMVP
FIPS 140-3 IG Announcements
[09-10-2024]
New Guidance:
- C.O Requirements for SP 800-208 HSS Vendor Affirmation
Updated Guidance:
- C.N Requirements for SP 800-208 schemes - Added reference to C.O for vendor affirming HSS.
[08-30-2024]
Updated Guidance:
- W.2 Hash Functions Acceptable for Use in the SP 800-90A DRBGs – IG Withdrawn.
- Editorial fix to correct numbering issues for several IGs.
[08-14-2024]
Updated Guidance:
- Editorial fix to correct Additional Comments not being numbered for several IGs.
[08-13-2024]
Updated Guidance:
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Added self-test requirements for the Post Quantum Algorithms (PQC) specified in FIPS 203, FIPS 204, and FIPS 205. Added general statement on the comparison test and removed references to the comparison and fault detection alternatives since they are unpractical in most cases. Updated Additional Comment 1 to clarify when the PCT in the underlying standard is implemented. Clarified the SP 800-90B health-tests should be categorized as fault detection tests per AS10.34. Other minor editorial changes.
- C.I XTS-AES (SP 800-38E) Requirements on the Key – Name change to better reflect the topic covered by this IG.
[07-26-2024]
New Guidance:
- 1.A Binding and Embedding Cryptographic Modules
- C.M Legacy Algorithms
- C.N Requirements for SP 800-208 schemes
Updated Guidance:
- 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI) – Added Additional Comment #6 regarding ESV and PAI/PAAs.
- 2.4.B Tracking the Component Validation List – Improved the details for CVL tests and mapped them to the latest CAVP tests. Introduced usage restrictions for CVLs. Removed outdated Additional Comment 5 and moved Additional Comment 4 into the applicable Resolution of this IG.
- 9.3.A Entropy Caveats – Updated to require ESV when the source is within the OE, passive or not. Added Resolution 3 (therefore pushing the Hybrid case to Resolution 4) disallowing scenarios where the module does not have direct access to the entropy source’s GetEntropy() interface. Added related Additional Comments #9, #10, #11 and #12. Updated Additional Comment #4 to clarify the claimed security strength of any approved algorithm may not be greater than 256 bits, which impacts the applicability of certain entropy caveats.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Moved Additional Comment #2 and #3 into the Resolution section. Labeled the ending requirements in the Resolution as “General CAST Requirements” and included numbered Notes.
- C.F RSA Approved Parameter Sizes in FIPS 186-5 – Name change and removal of Additional Comments #1, #2, and #3 to better reflect the topics this IG covers. Added a strong recommendation (but not requirement) regarding Miller-Rabin test requirements in the Resolution and adjusted the related Additional Comments #1 and #2 (was #4 and #5). Revised to target compliance to FIPS 186-5. Added a rationale for the FIPS 186-5 restrictions on the primes’ sizes. In the previous version of this IG, the RSA auxiliary primes size recommendations were different from what the digital signature standard then in place (FIPS 186-4) was saying and the IG had to provide the justification for the discrepancy.
- C.K Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186 – Slight update to Additional Comment #2 to clarify when FIPS 186-5 CAVP tests are required.
- D.F Key Agreement Methods – Moved C.F Additional Comment #2 to D.F Additional Comment #12.
[03-26-2024]
Updated Guidance:
- 2.3.B Sub-Chip Cryptographic Subsystems – Small correction to the paragraph that references IG 9.5.A.
- 4.1.A Authorised Roles – Updated Additional Comment #8 to address certain module designs that claim Security Level 2 for section 7.4.
- 9.5.A SSP Establishment and SSP Entry and Output – Added footnote 6 to clarify sub-chip SSP establishment requirements.
- C.A Use of non-Approved Elliptic Curves – Removed erroneous reference to EdDSA from Resolution 5.
[01-29-2024]
Updated Guidance:
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Added Note20 to clarify the TLS KDF self-test requirements.
- C.K Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186 – Resolution 4: K and B curves will be included in the FIPS 186-5 testing. Resolution 6: Removed specific reference to P curves since this ECDSA verification using K and B curves is also approved. Additional Comment 2: Clarified that mathematically equivalent FIPS 186-4 tests can claim FIPS 186-5 compliance.
- D.C References to the Support of Industry Protocols – Added Additional Comment #2 specifying that this IG includes the TLS 1.3 KDF CVL.
[11-22-2023]
Updated Guidance:
- 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI) – Added a few Known PAAs.
- 2.4.C Approved Security Service Indicator - Clarified the API example in the Resolution and added a related Additional Comment 5.
- 4.1.A Authorised Roles - Added “[for CSPs only]” in Background. Clarified in a. the exception applies when hashing data, not SSPs. Added a paragraph after the exceptions connecting authorization to authentication.
- 9.5.A SSP Establishment and SSP Entry and Output - Slight modification to the SK legend under Table 2.
- C.C The Use and the Testing Requirements for the Family of Functions defined in FIPS 202 - Removed the outdated Additional Comments.
- C.H Key/IV Pair Uniqueness Requirements from SP 800-38D - Changed “technique” to “scenario” in the beginning of the Resolution for consistency. Added leniency to the abort logic requirement in Scenario 3.
[08-01-2023]
Updated Guidance:
- D.B Strength of SSP Establishment Methods – Removed outdated text regarding how to document the SSP establishments on the certificate.
[07-25-2023]
New Guidance:
- 10.3.F Complete Image Replacement Versus Software/Firmware Loading
- C.K Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186
- C.L SP 800-107 Requirements
Updated Guidance:
- 2.4.C Approved Security Service Indicator – Added Additional Comment #4 to clarify the applicability of example scenarios 1) and 3). Updated the first bullet after “IG clarifies AS02.24 by interpreting the following:” to align closer to TE02.24.01 and TE.02.24.02.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Added self-test requirements for FIPS 186-5 algorithms. Clarified self-test requirements for underlying approved algorithms used within a higher-level algorithm with examples. Added Additional Comment #3 on general self-test requirements. Some formatting and editorial changes.
- C.A Use of non-Approved Elliptic Curves - Removed Additional Comment #1 since the transition is now published. Revised Additional Comment #2 (now #1) to specify EdDSA status. Incorporated final draft guidance from IG C.K into Category 1a and 1b.
- D.G Key Transport Methods – Updated Additional Comment #4 to be consistent with WebCryptik and CAVP representation (e.g., KTS-IFC).
- D.F Key Agreement Methods – Updated Additional Comment #5 to clarify requirements for assurances. Updated KAS references be consistent with WebCryptik and CAVP representation (i.e., KAS-ECC or KAS-FFC).
- Added reference to FIPS 186-5 in addition to or instead of FIPS 186-4. This resulted in minor admin changes (published date remained unchanged) to IGs:
- 2.4.A Definition and Use of a non-Approved Security Function
- 4.1.A Authorised Roles
- D.B Strength of SSP Establishment Methods
- D.D Elliptic Curves and the FFC Safe-Prime Groups in Support of Industry Protocols
- Updated to reference ESV. This resulted in minor admin changes (published date remained unchanged) to IGs:
- D.J Entropy Estimation and Compliance with SP 800-90B
- D.O Combining Entropy from Multiple Sources
[03-17-2023]
New Guidance:
- 10.2.A Pre-operational Integrity Technique Self-test
- 2.3.D Excluded Components
Updated Guidance:
- Entire IG – Updated FIPS 140-3 Management Manual references (several replaced by WebCryptik User’s Guide) and revalidation scenario references.
- W.1 Assurance of the Validity of a Public Key for SSP establishment – IG Withdrawn.
- 2.3.B Sub-Chip Cryptographic Subsystems – Updated Note 2 references to TE02.13.03. Removed porting guidance (moved to FIPS 140-3 Management Manual Section 7.1). Added Additional Comment #3 on validation status.
- 2.3.C Processor Algorithm Accelerators (PAA) and Processor Algorithm Implementation (PAI) – Fixed PAA/PAI bulleted examples.
- 4.1.A Authorised Roles – Added SP 800-90B under Resolution b. Added Additional Comments #6, #7, and #8.
- 5.A Non-Reconfigurable Memory Integrity Test – Added reference to TE02.03.02 in the Resolution.
- 9.3.A Entropy Caveats – Updated caveats to include “(e.g., keys)” in the SSP references.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Added SP 800-208 self-test requirements (Note: SP 800-208 algorithms can only be used in the approved mode if certified by the CAVP, once testing becomes available). Clarified SP 800-90B self-tests are considered CASTs. Clarified self-test requirements for algorithms whose output vary for a given set of inputs. Added SSH KDF and IKE KDF self-tests when used within an approved KAS. Aligned vendor affirmed self-test guidance with FIPS 140-3 Management Manual. Updated Additional Comment #1 on the key-pair PCT requirements.
- C.H Key/IV Pair Uniqueness Requirements from SP 800-38D – Added references to DTLS 1.2 in Scenario 1.
- D.F Key Agreement Methods – Added Additional Comment #11 to clarify CVL KDF CAST requirements.
- D.H Requirements for Vendor Affirmation to SP 800-133 – Added Additional Comment #5 on CAST requirements.
- D.K Interpretation of SP 800-90B Requirements – Added headers to group the Resolutions and added Resolution 19 on full entropy. Added requirements when a DRBG is considered a conditioning component (updates to Resolution 5 and Resolution 7 Note 1).
- D.Q Transition of the TLS 1.2 KDF to Support the Extended Master Secret – Updated Additional Comment #1 on TLS 1.0 and TLS 1.1 KDFs and their transition when using the extended master secret.
[10-07-2022]
Updated Guidance:
- 2.3.C PAA and PAIs - Clarified the testing requirements when a module incorporates PAA or PAI functionality. Updated known PAA/PAIs.
- 9.3.A Entropy Caveats - Added Additional Comment #7 on claiming multiple scenarios from this IG, and added Additional Comment #8 on which scenarios require an entropy assessment report.
- C.F Approved Modulus Sizes for RSA Digital Signature - Clarified algorithm status and requirements for RSA Signature Verification for both FIPS 186-2 and FIPS 186-4.
[05-16-2022]
New Guidance:
- D.Q Transition of the TLS 1.2 KDF to Support the Extended Master Secret
- D.R Hash Functions Acceptable for Use in the SP 800-90A DRBGs
Updated Guidance:
- 3.4.A Trusted Channel – Removed Additional Comment #2 as this is appropriate for FIPS 140-2, but does not align with requirements of ISO/IEC 19790:2012 Section 7.9.5 and IG 9.5.A.
- 9.5.A SSP Establishment and SSP Entry and Output – Added parenthesis in Resolution to highlight the fact that there are differences in requirements between CSPs that are keys versus non-keys.
[03-14-2022]
Updated Guidance:
- 2.4.A Definition and Use of a non-Approved Security Function – Added “with no security claimed” to the examples subtitle for clarity. Small editorial change in the Resolution to reference the correct algorithm table in SP 800-140B. Added a footnote to MD5.
- 2.4.B Tracking the Component Validation List – Added vendor affirmation of a SRTP KDF implementation.
[11-05-2021]
New Guidance:
-
- D.P SP 800-56Crev2 One-Step Key Derivation Function Without a Counter
Updated Guidance:
-
- Added a space to all ENT entries to ENT (P) or ENT (NP).
- 2.4.B Tracking the Component Validation List – Added references to SP 800-56Arev3 for the ECC-CDH primitive CVL in Resolution #1.
- 2.4.A Definition and Use of a non-Approved Security Function – Synchronized minor text in the Resolution to be consistent with IG 1.23 (FIPS 140-2). Clarified XOR example with a note. Added Additional Comment #2 to further clarify when a vendor can apply this IG.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Spelled out the ENT self-test requirements to avoid ambiguity.
- C.F Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 – Added Table 1 with a more relaxed upper bound limit and introduced supporting text including adding two new Additional Comments. Clarified the minimum number of the Miller-Rabin tests. Cleaned up old text in the Additional Comments.
- D.C References to the Support of Industry Protocols – Included guidance on the use of AES-CBC-MAC within OTAR.
- D.J Entropy Estimation and Compliance with SP 800-90B – Added Additional Comment #10 to clarify when other parties can write a labs’ entropy source description and its heuristic entropy analysis.
- D.L Critical Security Parameters for the SP 800-90A DRBGs – Added Additional Comment on the CTR_DRBG without a derivation function.
[08-30-2021]
New Guidance:
- 10.3.D Error Logging
- 10.3.E Periodic Self-Testing
- E.A Applicability of Requirements from SP 800-63B
Updated Guidance:
- 5.A Non-Reconfigurable Memory Integrity Test – Incorporated end of life procedures.
[05-04-2021]
New Guidance:
-
- 2.4.C Approved Security Service Indicator
- 9.7.B Indicator of Zeroization
- 10.3.C Conditional Manual Entry Self-Test Requirements
- 11.A CVE Management
- 12.A Mitigation of Other Attacks
- D.O Combining Entropy from Multiple Sources
Updated Guidance:
-
- 3.4.A Trusted Channel – clarified in the last bullet in Resolution 2 that the operator must stay in control over the physical path and prevent any unauthorized tampering.
- 4.1.A Authorised Roles - Clarified the requirements of the text “or other services that do not affect the security of the module”.
- 10.3.A Cryptographic Algorithm Self-Test Requirements – Updated to remain consistent with FIPS 140-2 IG 9.4. Also, clarified self-test rules around the PBKDF Iteration Count parameter.
- C.H Key/IV Pair Uniqueness Requirements from SP 800-38D - Removed Scenario 2’s second and fourth bullets and added the reasoning as Additional Comment #4.
- D.F Key Agreement Methods - Removed Additional Comment 10 since SP 800-56Arev3 testing is available and therefore vendor affirming to this standard is not permitted.
- D.G Key Transport Methods - Added “if applicable” for key confirmation under the first approved method.
- D.J Entropy Estimation and Compliance with SP 800-90B - Updated to align ENT references with that of IG D.O.
[09-21-2020]
The first release of the FIPS 140-3 Implementation Guidance document was published on September 21, 2020. This release incorporates 41 IGs, down from the 104 IGs currently in FIPS 140-2 IG document. Many of the IGs were no longer required as they were incorporated into ISO/IEC 19790, ISO/IEC 24759, and the SP 800-140x documents. Many thanks to those who helped identify, draft, review, and publish this new CMVP document.
Project Links
Additional Pages
Created October 11, 2016, Updated October 02, 2024