Every vendor who has gone through a FIPS 140 validation is familiar with CAVP algorithm testing — It’s a necessary step of the validation process. But algorithm testing isn’t for FIPS 140 alone! Some vendors are finding that they are required to do algorithm testing for Common Criteria (CC) certifications. What’s up with that?
Common Criteria certifications are typically done to conform with a published Protection Profile (PP). The PP defines the Security Functional Requirements (SFRs) to which a product must conform. The most popular PP is the Network Devices Collaborative Protection Profile, or NDcPP. The current version is 2.1, and the actual document can be found here (https://www.commoncriteriaportal.org/pps/collaborativePP.cfm?cpp=1&CFID=47381916&CFTOKEN=d67ae93a51516267-1499E015-155D-01DB-13AA0604DAE20F45).
The NDcPP (and other PPs) set out requirements for the cryptography that must be present in the system. For example, all TLS and SSH connections must be secured with RSA or ECC asymmetric cryptography, and session traffic must be protected with AES CBC or GCM. To ensure compliance with published standards on those algorithms, it is mandated that those algorithms be tested by NIST. The group that does this testing is the very same CAVP that does the testing for FIPS 140 modules.
This has been going on quietly for some years. In fact, if you know what you’re looking for, you can spot an algorithm validation in support of a CC certification. If you search the CAVP listing of validations and see a module that only includes RSA, AES, SHA, and HMAC, then chances are it’s for an NDcPP product.
Thinqsoft can help labs and vendors minimize risk in achieving algorithm testing success. We’re subject matter experts in all forms of NIST algorithm testing. Contact us to see how we can help!