Presentations by Topic

This presentation will introduce the major test technology development trends of KCMVP. Korea has been operating its own cryptographic module validation system since 2005 and has been conducting tests based... Read More

This presentation will introduce the new Canadian Centre for Cyber Security (CCCS or Cyber Centre), a branch of the Communication Security Establishment (CSE). We’ll focus on who we are in... Read More

This presentation will provide the latest from the CMVP: from new and updated Implementation Guidance to lab accreditation changes, and all initiatives in between.

The CCUF would like to present an update on their activities.

NIST is working in close collaboration with the industry to address the shortcomings of the NIST Cryptographic Validation Programs and improve the efficiency and effectiveness of cryptographic module testing in... Read More

Description TBA.

This presentation will give a very brief introduction to Arm Platform Security Architecture (though that is a separate submission) and then explains why Arm have decided to introduce a new... Read More

The FIDO Alliance, a 250+ member association developing specifications and certification programs for simpler, stronger authentication, announced back in March 2018 the expansion of its certification program to include multi-level... Read More

We are becoming increasingly ‘digitally dependent’, with connectivity spanning from our Edge devices, through the Fog and into the Cloud, helping us to manage every aspect of our personal, business... Read More

This presentation will discuss the following problems: * Not all certification levels fit * How do you include HW/SW/Edge/Cloud? * Patching security issues * How do you re-use from 1... Read More

Description TBA

Mandated in 2018, eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation defining standards for electronic signatures, qualified digital certificates, electronic seals, timestamps and other proof of authentication... Read More

No one doubts that the handwritten signature will eventually be replaced by the digital signature. The European union is evolving towards new regulations for these systems based on certification. New... Read More

Over the past few years, assessment of compliance of products and services with the eIDAS regulation has been at the center of extensive debate. Product developers, service providers, certification authorities,... Read More

This presentation will provide an overview of testing deemed necessary in FIPS and a summary of the challenges and opportunities for re-use in other Certifications based on lessons learned from... Read More

ISO/IEC 19790 provides the security requirements for a cryptographic module. Originally based on the U.S. FIPS 140-2, the ISO version has been further developed and improved in subsequent editions. The... Read More

Description TBA

Description TBA

Description TBA

The Common Criteria has been a framework for product evaluation of security functions since its inception in the late 1990s. As DevOps became the trend for development of agile cloud... Read More

Description to come

FIPS 140-3 is structured very differently than the previous standard. This talk focuses on the ISO and NIST requirement documents and how they influence the CMVP program.

This presentation walks through the standards necessary to understand how the US-Canada validation authority manages the ISO requirements and testing while meeting CMVP requirements.

As CMVP stands up FIPS 140-3, this presentation addresses the roadmap and management of FIPS 140-2 and what this means to vendors, labs, and users. This is an overview of... Read More

Indirect physical attacks such as sustained power monitoring have demonstrated that it is possible for some equipment to reveal sensitive key information. This presentation will provide an overview as to... Read More

This talk walks through the standards necessary to understand how the US-Canada validation authority manages the ISO requirements and testing while meeting CMVP requirements.

This presentation discusses how these validations will be integrated into the CAVP program and automation.

CAVP has reformulated the algorithm process over the last year. This presentation will address how the process now works, who can use the service, and how the information is used.c

On behalf of the Cryptographic Module User’s Forum (CMUF) FIPS 140-3 Transition Working Group (WG), the speaker will report the work performed by the WG to assist the Cryptographic Module... Read More

TLS is one of the widely used protocols for secure communication channels between connected devices. Security has improved for TLSv1.3 compared to previous versions of TLS. Therefore, the Network iTC... Read More

This presentation will explain the key differences between FIPS 140-2 and 140-3 requirements for the most used levels (1 and 2) of software, hardware and hybrid modules. A summary mapping... Read More

Description to come

This presentation will provide the latest from the CMVP: from new and updated Implementation Guidance to lab accreditation changes, and all initiatives in between.

Description to come

The security of cryptography in practice relies not only on the resistance of the algorithms against cryptanalytical attacks, but also on the correctness of their implementations. NIST maintains the CAVP,... Read More

IPA/JCMVP is the validation authority of cryptographic module validation in Japan. IPA/JCMVP has started two-year transition period of cryptographic module security requirements to ISO/IEC 19790:2012 and ISO/IEC 24759:2017, from July... Read More

Over the last several years, both the CMVP and NIAP have been reducing the number of similar CPUs covered by a single CAVS test. Historically, an ARM was an ARM,... Read More

Highly regulated industries and critical infrastructure environments demand fulfillment of security requirements through rigorous and standardized approaches. In this context, the value of Common Criteria certifications is internationally recognized, but... Read More

To address the requirements of the market for IoT product evaluations, the standard SESIP (Security Evaluation Standard for IoT Platforms) was designed in and for the IoT time scales. This light-weight... Read More

There is a great need for security and assurance in the fast growing connected world. To address this need, very many dedicated security evaluation schemes are popping up, often with... Read More

The EU has established a new Cyber Security Law. The objectives are to standardize and protect the market, eliminating the duplicate efforts and different policies among members. Although the law... Read More

Recently, FIPS 140-2 Implementation Guidance (IG) D.8 and D.1-rev3 have been updated to state the requirements for vendor affirmation to NIST Special Publication (SP) 800-56A Rev3 and the transition from... Read More

Several NIST key establishment standards have been recently updated: SP 800-56A, 56B and 56C. As these standards represent a significant shift in the key agreement and key transport paradigms, it... Read More

Cloud has become an inevitable infrastructure for government agencies world wide. So, securing workloads in the cloud has become a high priority task. FedRAMP is an established US government Risk... Read More

In this talk, we will analyze in depth the need for harmonization between NIAP and CAVP (FIPS) requirements. We will review changes to the recent NIAP Policy 5 Guidance update... Read More

If you read the news these days relating to cyber security, it is virtually impossible to miss the large number of articles which focus on the ever-increasing labor shortage in... Read More

ACVP is becoming the only accepted method by which cryptographic algorithms are validated and certified with NIST. As the CAVS tool’s time comes to an end, so to do some... Read More

The much-awaited FIPS 140-3 is here but the elephant in the room is “what happens to all the 140-2 module and algorithm certificates?” This presentation will look at the various... Read More

The current state of CMVP, CAVP, and Entropy Validations

The current state of the Cryptographic Module Validation Program (CMVP) operations will be presented.

The current state of the Cryptographic Algorithm Validation Program (CAVP) operations will be presented.

The current state of the NIST automation and processing of CMVP and CAVP validations.

New and upcoming Implementation Guidance (IGs) & SP 800-140x since the last ICMC meeting.

The current state of the Handbook 150-17 and the CMVP and CAVP scopes.

Update on co-operative activities between NIST and NIAP with respect to cryptography and cryptographic modules.

This expert panel will discuss issues around re-test requirements for module updates, including: Updates for discovered module vulnerability; Handling non-module updates in FIPS; Vendors labs NIST, how are we going... Read More

Labs often encounter questions from Vendors dealing with defining a prospective module’s cryptographic boundary properly. In the past, simply defining a firmware module as software that is contained within a... Read More

Since accepting FIPS 140-3 reports on 22 September 2020, the atsec CST lab has submitted almost a dozen reports to the CMVP. Some of them are currently in the coordination... Read More

This talk is primarily for vendors with existing FIPS 140-2 modules highlighting some of the subtler changes between the standards that could still force a change in module design before... Read More

Update on NIAP current activities and future plans

Both the Single-Chip and Bound/Embedded Working Groups within the CMUF are on their second year of existence. This talk will focus on what each group has accomplished in the last... Read More

As the ongoing update of ISO/IEC 19790 moves to the committee draft stage, this talk will look to review trends for cryptographic modules and review what opportunities exist to evolve... Read More

Recently NIST started to enforce that auxiliary requirements of various algorithm specifications must be present and enforced by a FIPS module. Such requirements cover aspects such as how keys used... Read More

The Security Protocol and Data Model (SPDM) is a protocol published by Distributed Management Task Force (DMTF). Since its debut in 2019, SPDM has been employed by several standard bodies,... Read More

Vendors who design a cryptographic module know that all its FIPS-approved cryptographic algorithms must be CAVP certified. Normally, this certification process requires the use of an external 3rd Party CST... Read More

Cryptographic Module vendors operate in a vast and varied international marketspace. ICMC is International in name, in attendance, and in its reach of audiences. However, the FIPS 140 standard, which... Read More

US and Europe are defining independent cryptography standards and evaluation methodologies, which could result in misalignment with regional certification schemes. This talk will explain: • Cybersecurity challenges of misalignment between... Read More

PSA Certified is three years old and now has over 100 certified products. It has grown from four to six test labs and forged alliances with other organizations such as... Read More

Very few vendors implement cryptography. At the heart of most certified modules is third party and open source cryptography. CMVP already allows vendors to use the “FIPS logo” if they... Read More

The current state of the Cryptographic Module Validation Program (CMVP) operations will be presented.

The current state of the NIST automation and processing of CMVP and CAVP validations will be presented.

With the publication of FIPS 140-3, EFP/EFT testing was added as a FIPS 140-3 requirement at security level 3 security level. FIPS 140-2 was required at security level 4 but... Read More

This presentation will be delivered by a member of the ISO editing team for both ISO/IEC 19790 and ISO/IEC 24759 will provide a status update on the ongoing updates to... Read More

This talk will discuss the expected transition from 19790:2012 to 19790:202x. It will present the major anticipated work items, a possible transition timeline, as well as any foreseen challenges. As... Read More

The version of ISO/IEC 19790 (hereafter 19790) adopted as FIPS 140-3 was published in 2012. Since its publication, it has gone through four working drafts (WDs) and one committee draft... Read More

Triple-DES, Non SP 800-56B Rev. 2 RSA key establishment, RSA with PKCS v1.5 padding, FIPS 186-5 (X9.31) are among algorithms transitioning to Historical by the end of year or early... Read More

Update on NIAP scheme, initiatives, and PP development goals (CC:2022, SBOM, Cloud, Automation)

Update on NIAP guidance for Entropy documentation required in relation to entropy reports completed by CMVP/NIST against SP800-90B

This talk will provide update on post quantum crypto requirements and required updates to Protection Profiles

An expert panel discussing CPU Equivalency

During the 1990’s the introduction of the internet, web browser, email and resulting electronic services led to an initial commercialization wave of crypto and security technologies. During this time security... Read More

This panel will continue the discussion from last year’s panel on the same topic, security vs compliance–is it possible to achieve both? What should our goals be? How can we... Read More

Korea has introduced new certification program for Quantum Key Distribution System in November of the last year and started the official process in April. As an organization applying for the... Read More

A hot topic in the community is the importance of crypto-agility, and how diversifying one’s security base can strengthen resilience. Whilst validation programmes like CMVP are considering PQC, movement towards... Read More

In the alphabet soup that is the landscape of product security certifications today, it is well understood that FIPS is the foundational certificate. Often that means that it gets the... Read More

The Cryptographic Module Validation Program (CMVP) was established on July 17, 1995, by the National Institute of Standards and Technology (NIST) to validate cryptographic modules conforming to the Federal Information... Read More

Come join Seamus, Brent, and a pair of disembodied hands for this informative and entertaining video presentation (with a live component) to learn the physical security requirements in FIPS 140-3... Read More

Companies with large portfolio of products like VMware benefit enormously from the rebranding and 1SUB processes allowed by NIST for OSS cryptographic libraries. However, as businesses move increasingly towards the... Read More

This talk will present cryptographically significant effects stemming from compiler version differences in software module(s) since mid-2022. The speaker will present this research to the ICMC community along with a... Read More

Initial presentations on ideas for speeding up the CMVP queue and processing times followed by an open floor brain storming session to bring in thoughts and ideas from the audience... Read More

This talk will provide insights into the evaluation process of FIPS 140-3, from initial engagement to successful submission of the certificate. It will cover aspects such as performing gap analysis... Read More

This talk will feature a panel discussion with entropy reviewers to reflect on observations from entropy reports over the past year, changes in guidance, and address audience questions.

In recent years, Europe has made significant strides in the cryptographic field, emerging as a global powerhouse. The widespread adoption of cryptographic primitives to safeguard sensitive information across hardware, software,... Read More

The version of ISO/IEC 19790 adopted as FIPS 140-3 was published in 2012. Since then, it has undergone several revisions. The panel, consisting of experts, will discuss major updates to... Read More

In a world where FIPS has been viewed as a drain on cryptographic performance and quality, what will it take to make FIPS something that can be used everywhere? This... Read More

The CMVP will host a discussion on important topics within the CMVP community. Following a brief presentation from the CMVP’s perspective, panelists will share their insights on trust in labs... Read More

Cryptography underpinning data confidentiality and integrity is evident not only in the high demand for cryptographic module validation but also in the Dedicated Security Component collaborative Protection Profile (DSC cPP).... Read More

A FIPS tester finds himself mixed up in a series of peculiar, absurd, but eerily familiar scenarios on the way to the Test Lab.  A Scheme Reviewer dreams of consistently... Read More

Vendors are required to submit their cryptographic module implementations to the Cryptographic Module Validation Program (CMVP) for validation and qualification of their products or cloud services for deployment within the... Read More

Abstract to come.

The algorithms CRYSTAL-Cyber, CRYSTAL-Dilithium, SPHINCS+, and FALCON form the basis of FIPS202, FIPS203, and FIPS204. Selected by NIST after rigorous testing for various resources, these algorithms emerged as optimal choices.... Read More

Section 7.10 of the FIPS 140-3 Management Manual outlines operational equivalency for hardware modules, enabling labs to conduct minimal regression testing across multiple platforms differing in storage, interfaces, and power... Read More

Thirty years after the publication of FIPS 140-1, technology has evolved, but the standard has not kept pace. This talk will review the physical security requirements of single-chip embodiments, addressing... Read More

This talk will explore the concept of ‘Module Component Pre-Validation Packages’ as a means to facilitate compliance, streamline testing processes, and promote reusability within the realm of ISO/IEC 19790 and... Read More

The talk aims to discuss the current validation process for Applets executing on JAVA cards and explore the potential for decoupling the FIPS validation of an applet from the underlying... Read More

Representation of protocols such as TLS, SSH and IPsec vary widely in the Security Policies for modules validated to FIPS 140-2. This presentation covers associated guidance, representation of ciphersuites (and... Read More

Cloud is becoming a dominant tool for various government agencies. Hence securing the cloud has become a paramount task. FedRamp is US standard for clouds. In spite of FedRamp enforcement,... Read More

This presentation will give a very brief introduction to Arm Platform Security Architecture (though that is a separate submission) and then explains why Arm have decided to introduce a new... Read More

Mandated in 2018, eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation defining standards for electronic signatures, qualified digital certificates, electronic seals, timestamps and other proof of authentication... Read More

Over the past few years, assessment of compliance of products and services with the eIDAS regulation has been at the center of extensive debate. Product developers, service providers, certification authorities,... Read More

This presentation will provide an overview of testing deemed necessary in FIPS and a summary of the challenges and opportunities for re-use in other Certifications based on lessons learned from... Read More

Cryptography is almost in all IT products providing security. As such, the evaluation of the cryptographic code is part of a Common Criteria evaluation. On the other side, in a... Read More

With the explosive growth of Internet of Things coupled with 5G communications and re-utilization of GSM 200kHz band for localized IoT applications, industry is going forward with massive investments in... Read More

Driven by digitalisation of “everything”the trust in digital devices of all types and their authenticity and integrity becomes a critical factor for the success of new offerings and business models.... Read More

A non-volatile DIMM (NVDIMM) is a Dual In-line Memory Module (DIMM) that maintains the contents of Synchronous Dynamic Random Access Memory (SDRAM) during power loss. An NVDIMM-N class of device... Read More

The NISTIR 8200 report addresses the growing need to develop effective security standards for the Internet of Things (IoT). They have identified a wide range of critical categories impacted by... Read More

Internet of Things (IoT) ecosystems have become increasingly prevalent, fundamentally changing the way we live, work and play. Billions of IoT devices already exist, with hundreds more coming online each... Read More

The automotive industry has rapidly evolved in recent times in such a way that the cars have been transformed from a simple mode of transport to the ultimate mobile device.... Read More

The importance of connected devices, services, and platforms in modern society is growing rapidly, and nowhere is this more apparent than the smart city. Made up of a wide range... Read More

Description TBA.

TLS (formerly SSL) is fairly well known, and most people are familiar with it through the ‘s’ at the end of the ‘https’ in web URLs. Securing communication is also... Read More

Driven by the demand for cryptographic protection in resource-constrained devices, NIST has initiated a lightweight cryptography competition between 2019 and 2023. Among 57 submissions, Ascon has been selected as the... Read More

Trends and Issues in IoT Cryptography

Cryptography is facing new challenges with new technologies such as IoT, Cloud, Quantum Cryptography etc. As the number of secure connections are exponentially increasing, key generation, strength of keys are... Read More

The NIST Special Publication (SP) 800-90 series of recommendations provide guidance on the construction and validation of random bit generators in the form of deterministic random bit generators or non-deterministic... Read More

Description to come:

In an SP800-90B assessment, the vendor must determine if their noise source supports an IID assumption, and justify any claim that the source output is IID. The SP800-90B IID assessment... Read More

With the advent of the Internet of Things (IoTs), all kinds of modern electrical devices such as smart phones, medical devices, network sensors as well as traditional computing platforms are... Read More

Correct and secure implementation of crypto modules is crucial for the overall system security which is, however, an error-prone and non-trivial task. A reliable and practical solution is to design... Read More

Numerous tests, including NIST STS and DIEHARDER test suites, have been formulated to assess RBG quality. However, these and others examine only the correlative properties present in a RBG stream.... Read More

Virtualized environments rely on high-quality entropy for generating cryptographic keys and securing sensitive data. In many cases, the entropy sources within the VM or sourced from hypervisor may be of... Read More

The BSI evaluation guidelines for random number generators, AIS 20 and AIS 31, have been effective in the German Common Criteria certification scheme for over 20 years, last updated in... Read More

Abstract: This presentation will provide updates on the ongoing development of the SP 800-90 series. In 2022, NIST published a draft of SP 800-90C, Recommendation for Random Bit Generator (RBG)... Read More

NIST and BSI have been in an ongoing process of harmonizing the SP 800-90 Series with AIS 20/31. Although the requirements are not identical, there are several pairs of random... Read More

Health tests are an integral part of entropy sources. These tests are critical for ensuring security, because noise sources can be sensitive to process variation in manufacturing, component aging or... Read More

Panel and Open Floor Questions with NIST Entropy Submission Reviewers

Entropy plays a crucial role in FIPS validation, yet remains poorly understood. As the founder and leader of the CMUF Entropy Working Group since 2018, the speaker possesses valuable insights... Read More

This talk covers both physical and non-physical noise sources utilized for entropy generation. It provides examples of various noise sources, including those based on ring oscillators, metastable latches, CPU jitter,... Read More

Post-processing algorithms and conditioning functions are integral components of entropy sources and random number generators. They are applied to the raw output of the noise source to enhance the entropy... Read More

The well-established DRBGs specified by SP800-90A are prevalent, primarily due to their compliance with FIPS 140-3 requirements and reliance on long-standing cryptographic primitives. However, recent years have seen the emergence... Read More

BSI and NIST have jointly developed standards and guidelines for generating random numbers suitable for cryptographic applications. The BSI evaluation guidelines AIS 20 and AIS 31, along with NIST’s Special... Read More

Software implementations of random number generators (RNGs) may lack direct access to an entropy source and rely on other software or system components to seed and reseed their deterministic random... Read More

This talk will cover the development of a stochastic model tailored for estimating min-entropy in ring oscillators, essential components in designing secure cryptographic systems. The aim is to bridge the... Read More

The SP 800-90B approved health tests detect a particular class of failures, with cutoffs set under implicit assumptions. This talk reviews relevant SP 800-90B requirements, explores failure modes detected by... Read More

Due to the nature of the SP 800-90B requirements, entropy sources often implement only the minimum required testing, namely the adaptive proportion test (APT) and repetition count test (RCT). This... Read More

There have been at least 130 entropy source certificates awarded by the ESVP so far. In this talk, the speaker will summarize lab, implementation, and vendor trends based on information... Read More

An in-depth look at the real-world process of validation with input from professionals who have hands-on experience at each step. Includes a case study of an actual validated CM product.

NIST is working in close collaboration with the industry to address the shortcomings of the NIST Cryptographic Validation Programs and improve the efficiency and effectiveness of cryptographic module testing in... Read More

After about one-year analysis and evaluation on the first-round candidates, NIST announced the second-round candidates in January 2019. In this presentation, we will provide a summary on the second-round candidates... Read More

Cryptography is facing new challenges with new technologies such as IoT, Cloud, Quantum Cryptography etc. As the number of secure connections are exponentially increasing, key generation, strength of keys are... Read More

This presentation will provide the latest from the CMVP: from new and updated Implementation Guidance to lab accreditation changes, and all initiatives in between.

The NIST Special Publication (SP) 800-90 series of recommendations provide guidance on the construction and validation of random bit generators in the form of deterministic random bit generators or non-deterministic... Read More

Description to come:

NIST is working in close collaboration with the industry to address the shortcomings of the NIST Cryptographic Validation Programs and improve the efficiency and effectiveness of cryptographic module testing in... Read More

The recent NIST publications of new versions of the key establishment standards formed a complicated landscape for the CMVP, the implementers, and testers. The standards keep evolving, the new parameter... Read More

The computer security Division at the National Institute of Standards and Technology is taking steps toward the standardization of threshold schemes for cryptographic primitives. These schemes have the potential to... Read More

ISO/IEC 19790 provides the security requirements for a cryptographic module. Originally based on the U.S. FIPS 140-2, the ISO version has been further developed and improved in subsequent editions. The... Read More

Description TBA

Description TBA

A randomness Beacon produces timed outputs of fresh public randomness. It pulsates randomness in an expected format at expected times, making it available to the public. Beacons offer the potential... Read More