ACVPro
ACVPro is a complete solution for testing cryptographic modules using the new Automated Cryptographic Validation Test System (ACVTS). The ACVTS is the testing system created by the NIST Cryptographic Algorithm Validation Program (CAVP) to prove the correct operation of cryptographic modules.
The ACVTS replaces the Cryptographic Algorithm Validation System (CAVS) that has been used for many years. The CAVS system used a windows-based application, operated by validation laboratories, to produce test vectors and validated responses to those test vectors.
In contrast, the ACVTS relies on a cloud-based server to produce the test vectors, and to validate responses to those test vectors. The ACVTS utilizes the Automated Cryptographic Validation Protocol (ACVP), which describes the data and control flow that comprises a testing session.
The Only Proven FIPS 140 Testing Solution
The ACVPro is the only Cryptographic Algorithm Test Harness on the market that meets the demands of the testing labs and is ready for deployment today.
ACVPro consists of a Linux binary command line application and set of shared object libraries. Together these handle all command line options, ACVTS communication, and test data handling, as well as providing numerous utility functions for diagnostics and debugging.
Labs or Vendors provide a “shim”, which is written to test a specific cryptographic module or Implementation Under Test (IUT). A shim consists of one or more functions that handle individual test cases for the algorithms supported by the module, as well as some supporting code. A shim is responsible for translating the data inputs into the data structures used by the IUT, using the IUT’s API to execute the test, and finally translate the IUT output data to be returned. A shim is compiled into a shared object, and loaded by ACVPro at runtime. Shims have access to a wide variety of utility and helper functions provided by ACVPro’s shared object libraries.
- TDES/3DES (SP 800-38A)
- AES (SP 800-38A)
- AES-CCM (SP 800-38C)
- AES-GCM (SP 800-38D)
- AES-XTS (SP 800-38E)
- CMAC (SP 800-38B)
- GMAC (SP 800-38D)
- HMAC (FIPS 198-1)
- SHA-1, SHA-2 (FIPS 180-4)
- SHA-3 (FIPS 202)
- DRBG (SP 800-90A)
- RSA (FIPS 186-4)
- DSA (FIPS 186-4)
- ECDSA (FIPS 186-4)
- PBKDF (SP 800-108)
- ASKDF (SP 800-135)
- KAS (SP 800-56A)
- AES and TDES Key Wrap (SP 800-38F)
- Component Testing:
- ECC-CDH (SP 800-56A Section 5.7.1.2)
- ECDSA Signature Generation Component
- RSA Signature Primitive (RSASP1)(PKCS#1 v2.1)
- RSADP (SP 800-56B)
ACVPro has been successfully used on the ACVTS production server, and ThinqSoft’s own “FOMRedux” OpenSSL product is currently working through the approval process. We will post our certificate number this week!
ACVPro is fully functional and has been used to achieve passing results on the ACVTS Production Server. It is currently based on libacvp, an open source library created by Cisco. Due to the limitations of libacvp, the validation process currently requires many individual steps, and most of those steps require all data to be processed in a single monolithic submission.
ACVPro can be used to achieve production credentials for any NVLAP validation lab, satisfying the requirements imposed for the transition beginning January 1, 2020. As part of the initial license, Thinqsoft will mentor labs through the accreditation process for both the testing and production servers, and execute the initial testing to achieve accreditation.
ThinqSoft will be continually supporting and enhancing the software to address customer needs. We have a robust roadmap for July 2020 and beyond, and will engage with our licensees to addressing their particular needs and priorities.
Our roadmap for July 2020 includes:
- Testing over Ethernet socket connections, for Mobile, IoT, and constrained hardware environments
- Testing with kernel module shims
- Enhancements for large volume of simultaneous validation projects
- Enhanced granularity in submissions and metadata handling
ACVPro is licensed for use on a yearly basis. Licensees will receive:
- Copies of the binaries and shared objects compiled for the x86_64 architecture
- Source code for a complete shim, capable of validating the OpenSSL FOM
- Source code and headers to produce additional shims
- Eight (8) hours of training, to be conducted at a time and place of mutual agreement, with reimbursement for travel expenses outside of DC Metro area
In addition, the licensees are entitled to:
- Receive mentoring and assistance in achieving fully credentialed access to the ACVTS testing and production environment to meet CAVP transition requirements
- Use the provided full binary and libraries to request and validate vector sets, and to submit results for certification
- Provide contracted vendors with the headers, documentation, and samples necessary to build shims for use with ACVPro
- Allow vendors to use the provided slim binary and shared libraries to produce vector results, for completion of specific projects (vendors must cease use after completion of project). If desired for continuous use in a QA environment, specific vendor licenses are available directly from ThinqSoft
- Receive all updates, improvements, bug fixes, and other enhancements for the license period
- Make requests for features and pose novel use case scenarios
- Support in the discovery and remediation of bugs and defects
Additionally, all licensees will receive preferential pricing for:
- Creation of new binaries for additional architectures. We ship Linux x86_64 binaries, and will work with you to generate other platforms (e.g. iOS, Android, Solaris, HP-UX) on an as-needed basis. Cost recovery is only for actual time and materials. Assistance from the Customer with environmental details, and potential cross-compile details, is required.
- Engineering, development, and support for the creation of new shims. Reasonable support is always provided with the license for support of your development work. The definition of “reasonable” will be on a case-by-case basis, and always in consultation with you.
- Preferential pricing for development of custom shims on a work-for-hire basis
- Full service completion of ACVTS projects for your clients (outsourced testing)
At the end of the license period, a new license must be purchased or usage of ACVPro must be terminated and all binaries deleted.
Learn More about the ACVPro
Download the ACVPro Overview and see how it can support your FIPS 140 validation projects