Fabien Deboyser | certification engineer, Thales
In this blog, I will present a new and efficient approach to reconciling security vulnerabilities and FIPS 140 security certifications, led by Thales eSecurity in collaboration with NIST/CMVP and FIPS 140 evaluation laboratories.
A quick and efficient patch also needs a quick and efficient certification
To maintain security over a product’s lifetime, it is a best practice for companies to implement a vulnerability management process. In this process, a team of experts continually look for potential or known vulnerabilities, and measure the security impact on products. Ultimately, if a vulnerability is found in a product, the team delivers a security advisory to customers with a description of the vulnerabilities and a solution on how to correct it (usually a software update or organizational measures to mitigate the vulnerability risk).
While some vulnerabilities are found by the product manufacturer, a good number of them originate from the public world from sources such as the CVE database. This database is a public-facing registry that lists all security vulnerabilities found in products or libraries, and catalogs them using a unique identifier.
Public-facing vulnerabilities are very important for customers and vendors for two main reasons. First, customers have their product directly exposed to a wide range of attackers as soon as a vulnerability is disclosed publicly, and, in turn, their product is vulnerable until an update is available. Second, vendors need to provide quick and efficient updates to their products to effectively correct the vulnerability.
Concerning security certification, most solutions require a dedicated vulnerability management process, such as “flaw remediation” in Common Criteria or a “vulnerability management process” in PCI. Unlike CC and PCI, FIPS 140 historically did not have a dedicated vulnerability management process. As I highlighted during the International Cryptographic Module Conference in 2016 (ICMC 2016), missing such a requirement was a pain point for vendors and impactful for customers.
A collaborative approach as the key to success
Following ICMC 2016, the FIPS 140 Cryptographic Module User Forum (CMUF) decided to tackle the subject of improving the FIPS 140 security certification process and nominated me as the chair of the working group. We subsequently created the working group “Revalidation in Response to CVEs”.
The list of the working group members actively participating in this collaborative approach who enabled us to be successful were:
- Acumen Security - Ryan Thomas and Ashit Vora
- Atsec - Renaudt Nunez and Yi Mao
- CMVP/NIST - Carolyn French and Ryan Horan
- Cygnacom - Nithya Rachamadugu
- EWA - Richard Adams, John Kohnen and Jesse Wood
- Thales eSecurity - Fabien Deboyser (Chair)
The key element of success was the collaboration between the different players. Ultimately, this allowed us to solve an industry-facing problem working hand-in-hand with the FIPS 140 evaluation laboratories and the NIST/CMVP in charge of the FIPS 140 certification scheme.
In order to align the expectation and the way to resolve this sensitive problem, we first agreed on a mission statement which was defined as: “Updating FIPS 140 validation process to better integrate one or more CVE revalidation updates with a quick update, and create a dedicated entry point such as not to perform a full 3SUB.”
Although the original objective was to target public-facing vulnerabilities, the consensus within the group was to first focus our efforts on items listed in the CVE database.
After two years of collaboration, we finally submitted the Implementation Guidance section G.8 “Revalidation requirements” to NIST for approval. This guidance was officially updated in May 2018, with a new efficient, quick approach, as presented during ICMC 2018 with NIST/CMVP and Acumen Security.
What does it mean for our customers?
With our successful update of the FIPS 140 certification process, we are now in a position to better and more quickly address the certification process update when a product is subjected to a vulnerability that impacts the FIPS 140 security items.
The newly updated process will simplify re-certification under the following requirements:
- The update only concerns the vulnerability disclosed in the CVE and no conflict with FIPS 140 requirements
- If an algorithm implementation is impacted, then a new CAVP (algorithm testing) will be required
- There is no need to address new Implementation Guidance updates
- CVE can be mitigated by operational measures
- No certification fees and no certification duration extension granted
In order to demonstrate the effective correction of the module in regards to the CVE listed, the vendor will provide the updated software to the evaluation laboratory. The evaluation laboratory will then identify and test FIPS assertions as listed in the Implementation Guidance G.8 and also provide an update of the test report.
Future steps
Providing and maintaining security is a crucial aspect of our job, and while this update is very positive, we still believe there is room for improvement. As a result, we will continue to collaborate with NIST and the industry to introduce additional updates to the process.
In an effort to constantly be a leader in security and certification, here are some steps that we are currently undertaking at Thales eSecurity:
For the FIPS 140 security certification, we will revisit the needs of any update of the current process and amend, if needed, to consider public-facing vulnerabilities.
In October 2018, I will be present at the International Common Criteria Conference 2018 on the security vulnerability within Common Criteria and discuss different approaches to harmonize the certification response to security vulnerability.
Visit us to learn more about Thales product FIPS 140-2 certifications.
Have a comment or question? Comment below or send me a tweet @fabdelux