Re: [Cfrg] On "non-NIST"

Watson Ladd <> Mon, 02 March 2015 16:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7D79D1A0115 for <>; Mon, 2 Mar 2015 08:08:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8YxTfEuer3oB for <>; Mon, 2 Mar 2015 08:08:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4814D1A1B74 for <>; Mon, 2 Mar 2015 08:08:16 -0800 (PST)
Received: by ykp131 with SMTP id 131so13781255ykp.3 for <>; Mon, 02 Mar 2015 08:08:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=ArfUP0W+9wmwMTEAjcVWRMM98AOsI0yA/XNJcsd9IPc=; b=r8WumbIwYMMdx6yS615vtpJmrI/CMgUUTjiOxQkUcmIrtX1eYg1UJsiMNFgRLYVwDR RrZ/28UJ4t36BbBkGeY0auF3Ut1g39ppafVeTwflREkDIZbn8P6fsImbKO60HBSx0pl7 ZG7nSrRGyqySQS/Hdh6usHjXKPxllQBiCeKdaCTCuxa9F7XGIU6cESu/mSpu2JWl9zgH nSlWVOWRq/X3kw9vT5dzYayr7UrzMjKPm8TofE73YNLHp1A7vUnb+4StoEC3SF4LdZZp 7DCMIajNiJl4/791xHRNhyTcEsaLr10hV4j/CHBih90xct+sovw8jpeyvZW0LryeZJ4/ 0bcg==
MIME-Version: 1.0
X-Received: by with SMTP id 3mr28199484yko.24.1425312495468; Mon, 02 Mar 2015 08:08:15 -0800 (PST)
Received: by with HTTP; Mon, 2 Mar 2015 08:08:15 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <>
Date: Mon, 02 Mar 2015 08:08:15 -0800
Message-ID: <>
From: Watson Ladd <>
To: Johannes Merkle <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: "" <>, Paul Hoffman <>, Peter Gutmann <>
Subject: Re: [Cfrg] On "non-NIST"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Mar 2015 16:08:28 -0000

On Mon, Mar 2, 2015 at 7:04 AM, Johannes Merkle
<> wrote:
> Watson Ladd schrieb am 01.03.2015 um 00:41:
>>>>> Not "the", but "an". The reason is that NIST controls what can and cannot be given a FIPS-140 certification, and that certification is considered important both by companies who want to sell to the US Govt and companies that use their certification as a statement that "we did it right". If you make an HSM that uses an algorithm not allowed by NIST, you cannot get it certified in the CMVP regime. Thus, when NIST is slow to keep up with the best practices adopted by the community, it becomes a roadblock to deploying better crypto.
>>>> This is factually untrue: CMVP certified modules are permitted to
>>>> implement other algorithms: they just can't be in FIPS mode when those
>>>> are used.
>>> That sentence assumes a few things: an HSM that has multiple signing algorithms *and* a lab that would allow non-certified signing algorithms to be within the crypto module that gets the Level 2+ certification *and* the CMVP program allowing the lab's evaluations. To the best of my knowledge, this has never happened. (Disclaimer: NIST once paid me to become an expert on the CMVP process and how crypto vendors and labs dealt with it, but I have not kept my day-to-day knowledge of it up to date in recent years.)
>>> What you describe is quite common in devices that get Level 1 certifications, but it is not clear that something that normally is expected to have a Level 2+ validation, specifically like HSMs, would be able to do so.
>> Safenet's Luna SA Network-attached HSM claims FIPS 140-2 Level 3
>> certification and support Brainpool. Granted, I only know about this
>> because it's the one Amazon provides and I had occasion to read the
>> documentation.
> The question is how much assurance of security you get by running the HSM in non-FIPS-Mode. I know of a different vendor
> of level 2 certified HSMs that use completely different firmware to support Brainpool curves. This practice makes it
> more difficult for customers to accept the HSM running in non-FIPS mode to support Brainpool.

No assurance at all. You don't receive that from FIPS validation
either: the specified testing is geared towards correctness of
calculation rather than withstanding adversaries. But as I'm sure you
are aware, there are separate certification schemes for Brainpool
curves. Absent official communication from NIST, we don't know how our
choice will impact actions they may or may not take in the future.

> --
> Johannes

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin