How to Certify a DICE Implementation under FIPS 140-3? (E22c)
Device Identifier Composition Engine (DICE) is an emerging industry standard published by the Trusted Computing Group (TCG). DICE is intended to be a more lightweight alternative to the TCG’s well-known Trusted Platform Module (TPM) industry standard. The architecture of DICE is intended to provide implementing devices with strong identity properties with minimal hardware requirements. This strong device identity can be leveraged to build up interesting security properties and use cases such as attestation of the device’s trustworthiness for mitigating supply chain attacks and so on. The attacks intended to be mitigated by DICE use cases are likely in scope for government agencies as well. Therefore, there is desire that DICE implementations should be able to acquire FIPS 140-3 certification and be enabled by government and other security-sensitive users. However, certifying a DICE implementation under FIPS 140-3 is not straightforward. FIPS 140-3 requires an ECC keypair be generated according to FIPS 186-4, the Digital Signature Standard (DSS). An open challenge with DICE is its incongruence with the requirements for key generation prescribed in FIPS 186-4. In FIPS186-4 there are two prescribed methods for generating ECC keys, both of which are rooted in utilizing a DRBG. In contrast the DICE specifications utilize an SP800-108 Key Derivation Function (KDF) to derive ECC keys. Thus direct use of a KDF to generate ECC keys is forbidden even though the KDF is an approved FIPS standard for generating keying material and the KDF can be utilized in the same manner as a DRBG to generate ECC keys with the same algebraic structure. We shall show possible design alternatives such as utilizing SP800-133, Recommendation for Cryptographic Key Generation, that attempt to reconcile DICE and DSS. We show how these approaches are unscalable or do not completely reconcile DICE with FIPS. This serves as the motivation for consideration of adopting the SP800-108 KDF as an allowed method for deriving ECC keys.