FIPS
Current NSS FIPS documentation:
NSS has completed FIPS 140 validation four times: 1997, 1999, 2002, and 2007.
August 27, 2007 NSS FIPS 140-2 level 2 cert was issued.
August 8, 2007 NSS FIPS 140-2 level 1 cert was issued.
Go to http://wiki.mozilla.org/FIPS_Validation for the plans and documentation of the recent NSS FIPS validation.
What is FIPS?
Federal Information Processing Standards Publications (FIPS PUBS) 140-1 and 140-2 are US government standards for implementations of cryptographic modules—that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations. Additional FIPS standards govern cryptographic algorithms. Many products sold to the US government must comply with one or more of the FIPS standards. Some financial institutions informally consider FIPS validation an important seal of approval.
The FIPS standards for both cryptographic modules and cryptographic algorithms are maintained by the U.S. National Institute of Standards and Technology (NIST). NIST runs a Cryptographic Module Validation (CMV) Program that formally validates cryptographic modules for conformance to FIPS 140-1 or FIPS 140-2. FIPS validation under this program is a rigorous process that takes many months.
The NSS cryptographic module has been FIPS 140-1 validated under this program. Products that use NSS can highlight FIPS validation as a widely acknowledged indication of high standards and rigorous testing, especially if they are intended for use by federal agencies and financial institutions.
NIST Cryptographic Module Validation Program
NIST's Cryptographic Module Validation Program page is a good starting point for the various FIPS standards for cryptographic modules and algorithms, the testing requirements, implementation guidance, and validation lists.
The most important FIPS cryptographic standard is 140-1 or 140-2, which covers the security requirements for cryptographic modules. (140-2 is a replacement for 140-1. After May 25, 2002, NIST will only accept validation reports against 140-2.) Implementation of the cryptographic algorithms used by the cryptographic modules to meet the requirements of FIPS 140-1 or 140-2 also need to be validated against their respective FIPS standards.
FIPS Validation of the NSS Cryptographic Module
The FIPS validation status of the NSS cryptographic module can be verified with the validation lists on NIST's web site. The FIPS validation history of the NSS cryptographic module is summarized in chronological order in the table below. Scanned in images of the validation certificates will be available soon.
|
Module |
Algorithm |
Standard |
Certificate |
|
Netscape Security Module 1 |
(ALG DES) v1.8,DES |
FIPS 46-3, FIPS 81 |
Certificate #6, 03/14/1997 |
|
(ALG 3 DES) v1.8, Triple DES |
FIPS 46-3, FIPS 81 |
Certificate #10, 07/02/1997 |
|
|
(ALG DSA) v 1.3, DSA & SHA-1 |
FIPS 186-2 |
Certificate #3, 03/26/1997 |
|
|
Netscape Security Module 1.01 |
(ALG DES) v1.9 DES |
FIPS 46-3, FIPS 81 |
Certificate #33, 07/09/1998; 09/11/1998. |
|
v1.9 (ALG 3 DES), Triple DES |
FIPS 46-3, FIPS 81 |
Certificate
#34, 07/09/1998; |
|
|
(DSS v1.4; SHS v1.13), DSA & SHA-1 |
FIPS 186-2 |
Certificate
#14, 07/29/1998, |
|
|
Network Security Services, |
DES |
FIPS 46-3 and FIPS 81 |
Certificate #133, 08/24/2001 |
|
Triple DES |
FIPS 46-3 |
Certificate #72, 08/24/2001 |
|
|
SHA-1 |
FIPS 180-1 |
Certificate #70, 11/06/2001 |
|
|
DSA |
FIPS 186-2 |
Certificate #52, 11/06/2001 |
|
|
Network Security Services, |
AES |
FIPS 197 |
Certificate #352, 01/2006 |
|
Triple DES |
FIPS 46-3 |
Certificate #410, 01/2006 Certificate #469, 10/2006 |
|
|
SHS (SHA-1, SHA-256, SHA-384, SHA-512) |
FIPS 180-2 |
Certificate #426, 01/2006 |
|
|
HMAC |
FIPS 198 |
Certificate #152, 01/2006 |
|
|
RNG |
FIPS 186-2 with Change Notice 1 |
Certificate #208, 06/2006 |
|
|
DSA |
FIPS 186-2 with Change Notice 1 |
Certificate #172, 06/2006 |
|
|
RSA (RSASSA-PKCS1-v1_5) |
PKCS #1 v2.1 |
Certificate #152, 06/2006 |
|
|
ECDSA |
FIPS 186-2 with Change Notice 1 |
Certificate #30, 06/2006 Certificate #37, 10/2006 |