|Pre-Conference Workshops (W) on Nov 4. Plenary Sessions (P) on Nov 5, followed by 4 tracks:||Certification Programs Track (C) Issues related to the CMVP, government programs and policy||General Technology Track (T) Tools and techniques relating to cryptographic modules||Advanced Technology Track (A) High-level technology issues, or special-focus subject matter||User Experience Track (U) Information of interest to the cryptographic module end-user|
November 4, 2015
- 08:00 - 09:00Registration
- 09:00 - 12:15Pre-Conference Workshops
How Not To Do a FIPS 140 Project (W01a) Steve Weingart, Manager of Public Sector Certifications, Aruba Networks; Chris Keenan, Evaluator, Gossamer Security Solutions Breaking into Embedded Devices: Side Channel Analysis (W01b) Jasper Van Woudenberg, CTO North America, Riscure GlobalPlatform—Addressing Unique Security Challenges through Standardization (W01c) Kevin Gillick, Executive Director, GlobalPlatform; Hank Chavers, Technical Program Manager, GlobalPlatform; Philip Hoyer, Director of Strategic Innovation, HID Global, and Identity Task Force Chair, GlobalPlatform; Alexander Summerer, Technology Consultant, Giesecke & Devrient, and Secure Element Access Control Working Group Chair, GlobalPlatform
- 12:15 - 13:15Lunch
- 13:15 - 16:30Pre-Conference Workshops
Validating a Virtual Module Without Guidance From CMVP (W02a) Steve Ratcliffe, TME, Cisco Systems; Speaker TBD Breaking into Embedded Devices: Fault Injection (W02b) Jasper Van Woudenberg, CTO North America, Riscure Exhibitor Setup at 16:00
November 5, 2015
- 08:00 - 09:00Registration
- 09:00 - 10:30Plenary Keynote Session
Keynote Presentation on Current Issues in Cryptography (P11a) Phil Zimmermann, Creator of PGP, Co-founder, Silent Circle Keynote Presentation: Cryptography, Moore’s Law, and Hardware Foundations for Security (P11b) Paul Kocher, President, Chief Scientist, Cryptography Research Keynote Presentation: Department of Defense Cybersecurity (P11c) Marianne Bailey, Principal Director, Deputy CIO for Cybersecurity, Department of Defense
- 10:30 - 11:00Break in Exhibits (Exhibits Open)
- 11:00 - 11:45Track Sessions
Certification Programs Track General Technology Track Advanced Technology Track Accreditation, Validation and Recognition based on ISO Standards (C12) Randall Easter, NIST
The future in International Standards for cryptographic module testing and how to participate in their development. Let’s also talk about a new International scheme for cryptographic module testing.
Effective Cryptography—Or: What's Wrong With All These Crypto APIs? (G12) Thorsten Groetker, CTO, Utimaco
We’ll talk about implementing cryptographic algorithms in software, while overcoming the shortcomings of the likes of PKCS#11 and JCE
Quantum Computing and Its Impact (A12) David Cornwell, Lead Engineer, Booz Allen Hamilton
You'll learn about which FIPS 140 algorithms are “quantum safe” and which ones are not.
- 11:45 - 12:30Track Sessions
The Next Steps Toward A Scalable International Cryptographic Evaluation Process (C13) Clint Winebrenner, Technical Lead, Product Certifications Security & Trust Organization, Cisco
We'll propose how we can work together influence an internationally acceptable cryptographic algorithm validation process.
The Entropy Bogeyman (G13) Edward Morris, Co-Founder, Gossamer Security Solutions; Khai Van, Security Tester, Gossamer Security Solutions
Entropy doesn’t matter. Okay… maybe it does, but to what extent?
Extending Derived Credential Use to Support S/MIME Even with Medium-Hardware Protected Credentials (A13) Issam Andoni, Chief Technology Architect/Owner, Zeva Inc.
We’ll review a solution that allows mobile device users to securely read encrypted email by extending the use of derived credentials rather than smart card credentials.
- 12:30 - 13:45Lunch in ExhibitsSponsored by CMUF Face-to-Face Meeting Twinbrook Room
- 13:45 - 14:30Track Sessions
Legacy Random Number Generators (RNGs) (C14) Zhiqiang (Richard) Wang, CSTL Lab Technical Director, Leidos; William Tung, Senior Security Evaluation Analyst, Gemalto
Many legacy RNGs (Random Number Generators) won’t be permitted in FIPS mode after 2015. We'll talk about how to prepare for this change.
The What, Why, and How of Tokenization (G14) Peter Helderman, Principal Consultant, UL
Tokenization: from complementing cryptography to being a part of cryptographic operations.
A Look into Hard Drive Firmware Hacking (A14) Khai Van, Security Tester, Gossamer Security Solutions
This presentation will dissect a firmware hack, examine the procedure, and review the implications on consumers. We will also explore possible future safeguards against these attacks as this story progresses.
- 14:30 - 15:15Track Sessions
Proposed Changes for a Long-Overdue Revision of FIPS 140-2 (C15) Francisco Corella, Founder & CTO, Pomcor; Karen Lewison, CEO, Pomcor
ISO 19790:2012 has been suggested as a candidate to succeed FIPS 140-2, but it only makes incremental changes. We propose three substantial changes that should be incorporated into a revised standard.
SP 800-131A Transitions and Related Implementation Guidance (G15) Allen Roginsky, Mathematician, NIST; Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST
We'll review the status of the cryptographic algorithms and key sizes that are subject to the NIST transition and will announce the future transition steps.
Improved Approaches to Online Health Testing in SP800-90 RNGs (A15) David Johnston, Hardware Security Architect, Intel
This presentation will address the current suite of standards for the validation of cryptographic algorithms and modules and those that are in development.
- 15:15 - 15:45Break in Exhibits
- 15:45 - 16:30Track Sessions
Adding to the Approved List of Algorithms (C16) Kelvin Desplanque, TME—Government Certification CoGS—Canada, Cisco Systems
Occasionally someone in the vendor community will find a method for extending either the efficiency or security of a new mode of a particular algorithm on the FIPS Approved List. This presentation will describe the journey that follows.
SP800-90B: Analysis of Linux /dev/random (G16) Stephan Mueller, Principal Consultant and Evaluator, atsec information security
We will present test approaches that allows /dev/random with the entropy pools and the events feeding into these pools to be observed at runtime.
Test Vector Leakage Assessment (TVLA) for Side Channel Analysis in Conformance Testing Scenario (A16a) Gilbert Goodwill, Senior Principal Engineer, DPA Software and Training Lead, Cryptography Research
This presentation provides updates to the side-channel testing methodology in a validation setting, including SHA-256 and guidance.(A16b) Steve Weymann, Security Engineer, InfoGard Laboratories
Is side channel testing practical in conformance testing scenarios? We'll look at one lab's experience using the emerging TVLA approach.
- 16:30 - 17:15Track Sessions
CMVP Programmatic Status (CMVP) (C17) Carolyn French, ITS Engineer, CSE; Michael Cooper, IT Specialist, NIST; Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST
This presentation will discuss the status of the CMVP, including some of the challenges, successes, and directions for development.
Enough Entropy? Justify It! (G17) Yi Mao, Principal Consultant, atsec information security
This presentation will review various mathematical definitions of Entropy, and present some examples of how the entropy assessment can be performed on commonly used seed sources.
Low-Cost Side Channel Attacks on Smartphones and Embedded Devices using Software Defined Radios (A17) Gabriel Goller, Giesecke & Devrient
I will show how to break an asymmetric cryptographic algorithm with side-channel weaknesses running on a smartphone or an embedded device using only a DVB-T stick and self-built sensors.
- 17:15 - 18:30Reception in Exhibits
November 6, 2015
- 08:30 - 09:00Registration (Exhibits Open)
- 09:00 - 09:45Track Sessions
Certification Programs Track General Technology Track End User Experience Track CSfC Program and its FIPS 140-2 Requirements (C21) Matt Keller, VP, Corsec Security
We'll explain how FIPS 140-2 validation and adherence to Suite B will impact a vendor’s ability to be listed on the CSfC Components List.
Repetition Count Test (G21) Jason Tseng, Project Control Analyst, Leidos; Michael Powers, Security Assurance Engineer, Leidos
This presentation will discuss the new proposed Repetition Count Test (RCT), how it may be beneficial to vendors to implement an RCT, as well as the FIPS 140-2 requirements behind a CRNGT for NIST Special Publication 800-90A Deterministic Random Bit Generators (DRBGs).
Commonly Accepted Keys and CSPs Initiative (U21) Ryan Thomas, FIPS 140-2 Program Manager, CGI Global Labs
This presentation will focus on an initial list of Industry Protocols such as TLS, SSH, SNMP and IPsec, RADIUS, Key Derivation Protocols such as 802.11i, and algorithms such as Diffie-Hellman, EC Diffie-Hellman and SP 800-90A DRBG.
- 09:45 - 10:30Track Sessions
What is Suite-B Cryptography and How Does it Relate to Government Certifications? (C22) Anthony Busciglio, Co-Founder, Laboratory Manager, Acumen Security
This presentation will provide a high-level introduction to Suite-B, discusses how it applies to commonly certified cryptographic protocols.
Roadmap to Testing of New Algorithms (CAVP) (G22) Sharon Keller, Computer Scientist, NIST; Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST
This presentation will discuss the evolution of the CAVP with the testing of newly adopted approved cryptographic algorithms.
FIPS is FIPS, Real World is Real World and Never the Twain Shall Meet? (U22) Ashit Vora, Co-Founder and Laboratory Director, Acumen Security
This presentation will cover the evolution of FIPS 140-2, discuss some egregious requirements that may be irrelevant or harmful to modern crypto systems, and provide recommendations on remediation.
- 10:30 - 11:00Break in Exhibits
- 11:00 - 11:45Track Sessions
Introduction on the Commercial Cryptography Scheme in China (C23) Di Li, atsec information security
We've heard a lot about CMVP and FIPS 140-2, this time let's see what is happening in China and what we can do to join the game.
Entropy Estimation by Example (G23) David Cornwell, Lead Engineer, Booz Allen Hamilton
We will review the fundamentals of entropy estimation, statistical tests of SP 800-90, and the NIST entropy tool. We will provide specific examples of the entropy estimation of data streams and keys.
Collateral Damage—Vendor and Customer Impact of Frequent Policy Changes (U23) Joshua Brickman, Director, Security Evaluations, Oracle; Glenn Brunette, Senior Director and Chief Technologist, Cybersecurity, Oracle
This talk will demonstrate examples highlighting how continuous changes to policies can have a major impact on a product’s lifecycle from development to certification and ultimately to sales and support.
- 11:45 - 12:30Track Sessions
FIPS 140 Quo Vadis? (C24) Apostol Vassilev, Cybersecurity Expert, Computer Security Division, NIST
It takes a village—industry, labs, CMVP, government agencies—to respond well to the incredibly fast evolving challenges in cybersecurity and cryptography.
Importance of Open Source to the Cryptographic Module Community (G24) Chris Brych, Senior Principal Security Analyst, Oracle
After almost 10 years, the time is coming that OpenSSL distributions will not contain any FIPS support. We’ll look at the history of the OpenSSL project, why OpenSSL FIPS support is important, and discuss concerns in the near future.
Learning From Each Other and Our Mistakes (U24) Terrie Diaz, Product Certification Engineer, Cisco Systems; Edward Morris, Co-Founder, Gossamer Security Solutions
We will examine how the FIPS 140-2 and Common Criteria certification schemes intersect, support one another, are (to some degree) synergistic, and could remain so.
- 12:30 - 13:30Lunch in Exhibits
- 13:30 - 14:15Track Sessions
Cryptographic Validation Requirements and the Common Criteria (ISO/IEC 15408) (C25) Kirill Sinitski, Common Criteria Evaluator & Quality Coordinator, CygnaCom
For anyone who is interested in the Common Criteria this presentation may lessen the pain of meeting requirements.
Challenges in Generating Keys for Asymmetric-Key Algorithms (G25) Allen Roginsky, Mathematician, NIST
We will review the approved methods for key generation for RSA and other asymmetric-key algorithms, the risks, the attacks, the implementation and testing issues.
FIPS140-Testing: You Want My What? (U25) Valerie Fenwick, Software Engineering Manager, Oracle; Hai-May Chao,, Principal Software Engineer, Solaris Security Technologies Group, Oracle
Algorithm testing and IGs—what your customers don't know won't hurt them?
- 14:15 - 15:00Track Sessions
NIST & NIAP Working Together (C26) Janine Pedersen, Director, National Information Assurance Partnership (NIAP); Michael Cooper, IT Specialist, NIST
NIST and NIAP are collaborating to streamline evaluations—leveraging commonalities to gain efficiencies. This presentation will discuss progress to date and plans for the future.
What is My Operational Environment? (G26) Swapneela Unkule, atsec information security
Attendees will understanding operational environment for algorithm vs module validation.
Validating Encryption: The Bottleneck in Security Innovation (U26) Ray Potter, CEO, SafeLogic; Walter Paley, Director of Marketing, SafeLogic
True or False: Validating encryption allows the US Federal government to deploy the best, most cutting-edge technology in a secure way?
- 15:00 - 15:30Break in Exhibits (Exhibits Close at 3:30)
- 15:30 - 16:15Summary Panel Discussion
Impact of Draft CMVP Policy Changes on Industry (P27) Moderator: Marcus Streets, Product Director High Security Products, Good Technology Panelists: Douglas Gebert, Enterprise Architect, HP Enterprise; Michael Cooper, IT Specialist, NIST; Tammy Green, Senior Principal Security Architect, Blue Coat Systems; Laurie Mack, Director Security & Certifications, Gemalto
Recently, NIST requested public comment on a proposal to use the ISO/IEC 19790:2014 Security Requirements for Cryptographic Modules standard as the U.S. Federal Standard for cryptographic algorithm and cryptographic module testing, conformance, and validation activities, replacing the standards currently specified by FIPS 140-2. With the period for public comment ending just prior to ICMC15, there will be much to discuss about this proposed shift. These industry experts will explore the issue in a moderated discussion with plenty of opportunity for audience Q&A. Don’t miss it.