Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

This is an archive
(replace .gov by .rip)

Cryptographic Algorithm Validation Program

2013 Announcements

[12-12-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS16.0). contains changes to the testable functions in some of the approved cryptographic algorithms to reflect the transition to the use of stronger cryptographic keys and more robust algorithms (as recommended in NIST SP800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths) effective January 1, 2014. The following changes have been made :

  1. DSA (Refers to FIPS 186-2) Removed DSA tab. PQG Generation, Key Pair Generation, and Signature Generation are disallowed after 2013 because IG G.15 states. After December 31, 2013, implementations of domain parameter generation, key pair generation and digital signature generation as specified in FIPS 186-2 will not be validated by the CAVP or CMVP. PQG Verification and Signature Verification are still allowed for legacy use. The testing of these 186-2 functions has been moved to the DSA2 tab which refers to FIPS 186-4. (NOTE: FIPS 186-4 DSA can still be validated for all functions (See DSA2 Tab).)
  2. RNG IG G.15 states: In the case of the deprecated RNGs, new algorithm or module validation submissions will only be accepted for validation by the CAVP or CMVP, respectively, through the end of 2013. However, modules submitted for revalidation under IG G.8, scenarios 1 through 4 containing deprecated RNGs will be accepted for revalidation by the CMVP until their use is disallowed on December 31, 2015 (see SP 800-131A). In the case of revalidations, RNG validation may need to be performed. Therefore, RNG validation testing will remain in the CAVS tool but will only be allowed to validate RNG implementations in modules submitted for revalidation.
  3. DSA2 (Refers to 186-4) - The following changes have been made:
  4. Because modulus sizes less than or equal to 80 bits of security are disallowed and SHA1 is disallowed for Digital Signature Generation after 2013:
    1. PQG Gen Removed L=1024 N=160 column
    2. Key Pair Removed L=1024 N=160 column
    3. Signature Generation
      1. Removed L=1024 N=160 column
      2. Removed SHA1 from all modulus columns
  5. The PQG Verification selection under the DSA2 tab has been modified to add a checkbox to test FIPS186-2 PQG Verification as specified in FIPS 186-4 Annex A.1.1.1 Validation of the Probable Primes p and q that were Generated Using SHA-1 as Specified in Prior Versions of this Standard.
  6. A note has been added to the Signature Verification selection under the DSA2 tab explaining that Signature Verification as specified in FIPS 186-2 and FIPS 186-4 is the same and therefore the same screen can be used to test either version. Therefore, there is no distinction between the two when testing Signature Verification.
  7. ECDSA2 (Refers to 186-4) - The following changes have been made: a. Because modulus sizes less than or equal to 80 bits of security are disallowed and SHA1 is disallowed for Digital Signature Generation after 2013:
  8. Key Pair Removed P192 K163 B163
  9. Signature Generation
    1. Removed the complete columns for P192 K163 and B163
    2. Removed SHA1 from all curve columns b. Add documentation explaining PKV and Signature Verification for both 186-2 and 186-4 are the same. Therefore, there is no distinction between the two versions when testing these functions.
  10. RSA (Refers to FIPS 186-2) - Removed RSA tab. PQG Generation, Key Pair Generation, and Signature Generation are disallowed after 2013 because IG G.15 states. After December 31, 2013, implementations of domain parameter generation, key pair generation and digital signature generation as specified in FIPS 186-2 will not be validated by the CAVP or CMVP. Signature Verification is still allowed for legacy use. The 186-2 RSA Validation Tests have been moved under the RSA2 tab. They can be accessed by checking the 186-2 Legacy Tests tab under the RSA2 tab. (NOTE: FIPS 186-4 RSA can still be validated (See RSA2 Tab).)
  11. RSA2 (Refers to 186-4): The following changes have been made: a. Because anything less than or equal to 80 bits of security is disallowed and SHA1 is disallowed for Digital Signature Generation after 2013:
  12. GenKey9.31 Removed 1024 column only in B.3.4 (Provable Primes), B.3.5 (Provable and Probable Primes) and B.3.6 (Probable Primes), but kept SHA1. (1024 bit RSAs keys are not used for any other purpose but Signature Generation. Therefore they are removed. FIPS PUB 186-4 Section 4 states that SHA1 can be used for key generation because output length of 160 is bigger than 128 and 112 associated security string lengths of 2048 and 3072 bit moduli.)
  13. Signature Generation 9.31, PKCS1.5 and PKCS PSS 1. Removed 1024 column 2. Removed SHA1 from modulus sizes 2048 and 3072 columns
  14. RSA Component Test  Removed PKCS 1.5 SHA1 because SHA1 was removed from Mod 2048 b. Added new tab called 186-2 Legacy Tests. By selecting this tab, the FIPS 186-2 Signature Verification for 9.31, PKCS1.5 and PSS can be accessed.
  15. ECDSA (Refers to FIPS 186-2) - Removed ECDSA tab. PQG Generation, Key Pair Generation, and Signature Generation are disallowed after 2013 because IG G.15 states After December 31, 2013, implementations of domain parameter generation, key pair generation and digital signature generation as specified in FIPS 186-2 will not be validated by the CAVP or CMVP. PKV and Signature Verifications are still allowed for legacy use. The testing of these 186-2 functions has been moved to the ECDSA2 tab. (NOTE: FIPS 186-4 ECDSA can still be validated (See ECDSA2 Tab).)
  16. KASFFC Removed FA parameter set because 80 bits security disallowed after 2013.
  17. KASECC Because anything less than or equal to 80 bits of security is disallowed after 2013:
  18. Removed EA parameter set
  19. ECCCDH Component test (Sec 5.7.1.2) Removed P192 K163 and B163.
  20. KDF 800-135 - Because anything less than or equal to 80 bits of security is disallowed after 2013:
  21. IKE v1 - Removed 185, 192, 1024 from the 3 columns in the Diffie-Hellman Shared Secret section
  22. IKE v2 - Removed 185, 192, 1024 from the 3 columns in the Diffie-Hellman Shared Secret section
  23. ANS X9.63 - Removed 163 and 192 in both min and max fields
  24. SSH - Changed the Diffie-Hellman Shared Secret Lengths default value to 2048.
  25. RSADP Component (from SP800-56B) - Removed 1024. Because only allow 2048 now, modified screen so only need to press RSADP Generate or RSADP Verify.
  26. A minor bug was fixed in SP 800-135 to the shared secret length for IKEv1 and IKEv2.

The transition period ends March 12, 2014.

As has been the policy in the past:

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, SHA, RNG, HMAC, CCM, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-4 DSA, FIPS186-4 ECDSA, FIPS186-4 RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, the ECDSA2 Signature Generation Component and/or the RSADP component, the CST lab must use the CAVS 16.0 to validate the IUT.
  2. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 16.0 to create files and has already sent the sample and request files to the vendor, NIST will accept validations of acceptable algorithms and key lengths using this tool up through March 12, 2014. If an IUT validated with CAVS 15.2 contains key lengths, hash sizes, or algorithms that are disallowed as of December 31, 2013, these disallowed features will not be accepted.
  3. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 16.0 to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 16.0.

The CAVP will also review special conditions on a case-by-case basis.

[11-13-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS15.2). The following additions, modifications and updates have been made to CAVS Version 15.1:

  1. Corrected message displayed for RSA2 Key Generation verification.  It was erroneously displaying success on the screen when the summary and log files were indicating a failure.
  2. Changes to format in RSADP files -Changed upper case K to lower case k in sample file
  3. Corrections to RSA2 testing introduced when truncated SHAs were added.  Error was in using SHA1. 
  4. Corrections to DRBG edit length dialog.
  5. Removed response file creation in SP800-108.  This was here for generating example files for website.

The transition period ends February 13, 2014.

As has been the policy in the past:

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, FIPS 186-2DSA, SHA, RNG, FIPS 186-2 RSA, HMAC, CCM, FIPS 186-2ECDSA, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-4 DSA, FIPS186-4 ECDSA, FIPS186-4 RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, SHA 512/224, SHA 512/256, HMAC with SHA 512/224, HMAC with SHA 512/256, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, the ECDSA2 Signature Generation Component and/or the RSADP component, the CST lab must use the CAVS 15.2 to validate the IUT.
  2. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 15.2 to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through February 13, 2014.
  3. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 15.2 to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 15.2.

The CAVP will also review special conditions on a case-by-case basis.

  1. section or remove the DES section.
  2. For each component, make it have its own section In the inf file for automation purposes (separate section for ECDSA SigGenComponent, RSASP1 component, RSADP component, etc.)
  3. Corrected label in SP800-135 log file
    1. Corrected truncated screen for SP800-135 IKEv2.

The transition period ends December 18, 2013.

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, FIPS 186-2DSA, SHA, RNG, FIPS 186-2 RSA, HMAC, CCM, FIPS 186-2ECDSA, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-4 DSA, FIPS186-4 ECDSA, FIPS186-4 RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, SHA 512/224, SHA 512/256, HMAC with SHA 512/224, HMAC with SHA 512/256, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, the ECDSA2 Signature Generation Component and/or the RSADP component, the CST lab must use the CAVS 15.1 to validate the IUT.
  2. For any algorithm validation request where a lab has used CAVS Version 15.0 to create files, please regenerate everything using CAVS 15.1.
  3. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 15.1 (excluding CAVS 15.0) to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through December 18, 2013.
  4. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 15.1 (excluding CAVS 15.0) to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 15.1.

The CAVP will also review special conditions on a case-by-case basis.

[09-17-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS15.0). The following additions, modifications and updates have been made to CAVS Version 15.0:

  1. Added FIPS 180-4 SHA-512/224 and SHA-512/256 support to FIPS 186-4 DSA (i.e., DSA2), ECDSA (i.e., ECDSA2), and RSA (i.e., RSA2).
  2. Added SP800-56B RSADP component testing.
  3. Added prerequisite to ECDSA Signature Generation component. Requires prerequisite of DRBG or RNG because uses secret random number.
  4. For the NIST SP 800-135 IKEv1 and IKEv2 KDFs, the three fixed well-known group options (Groups 2, 4 and 14) are replaced by three drop-down lists of all valid shared secret lengths (groups), thus increasing the number of groups supported by testing.
  5. For the NIST SP 800-135 SSH KDF, testing with the TDES-CBC cipher is now optional instead of required. The user shall select all supported block ciphers out of the set of TDES CBC, AES-128 CBC, AES-192 CBC and AES-256 CBC.
  6. Fixed bug in NIST SP 800-135 SSH KDF tests. CAVS generated shared secret (i.e., K) values that were not valid because they had an unnecessary leading zero-valued byte.
  7. For NIST SP 800-38E XTS-AES, CAVS now allows testing with the tweak value input in both supported formats, the 128-bit hexadecimal string and the Data Unit Sequence number. Earlier versions of CAVS only tested for one format or the other.
  8. Fixed parsing bug in HMAC verify routine.
  9. AES Summary file corrected for AES Ctr mode information.
  10. Fixed bug in "Edit Input Lengths..." window for Hash_DRBG and HMAC_DRBG.
  11. Modifications to inf file (For internal use):
  1. GCM make Selected= first line in GCM section (this will make it consistent with other sections)
  2. 135-Change name of 800135Selected to Selected
  3. Have an empty line before the DES section  or remove the DES section.
  4. For each component, make it have its own section in the inf file for automation purposes (separate section for ECDSA SigGenComponent, RSASP1 component, RSADP component, etc.)
  5. Remove dash, slash and spaces from truncated hash variable names (and other variables)

The transition period ends December 17, 2013.

As has been the policy in the past:

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, FIPS 186-2DSA, SHA, RNG, FIPS 186-2 RSA, HMAC, CCM, FIPS 186-2ECDSA, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-4 DSA, FIPS186-4 ECDSA, FIPS186-4 RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, SHA 512/224, SHA 512/256, HMAC with SHA 512/224, HMAC with SHA 512/256, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, the ECDSA2 Signature Generation Component and/or the RSADP component, the CST lab must use the CAVS 15.0 to validate the IUT.
  2. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 15.0 to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through December 17, 2013.
  3. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 15.0 to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 15.0.

The CAVP will also review special conditions on a case-by-case basis.

[09-05-13] - On July 19,2013, NIST announced the approval of Federal Information Processing Standard (FIPS) 186-4, the Digital Signature Standard.  All of the changes between FIPS 186-3 and FIPS186-4 had already been incorporated into the CAVP testing tool; the testing of FIPS186-3 implementations is identical to the testing of FIPS 186-4 implementations. There is no need for a transition period in which both FIPS 186-3 and FIPS 186-4 validation would be performed. Previous CAVP validations for FIPS 186-3 will be considered as equivalent to those for FIPS 186-4. Vendors should start using FIPS 186-4 immediately.

[04-26-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS14.4). This version of the CAVS tool addresses minor updates:

  1. For SP800-108 KDF in Counter Mode, added the ability to test implementations that put the counter in the middle of the input data. This is allowed by SP800-108.
  2. Minor correction in file used by tool - doesn't affect end users: In function WriteInfRSA2, changed reference to rsa2selected instead of rsaselected.

The transition period ends July 23, 2013.

As has been the policy in the past:

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, FIPS 186-2DSA, SHA, RNG, FIPS 186-2 RSA, HMAC, CCM, FIPS 186-2ECDSA, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-3 DSA, FIPS186-3ECDSA, FIPS186-3RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, SHA 512/224, SHA 512/256, HMAC with SHA 512/224, HMAC with SHA 512/256, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, and/or the ECDSA2 Signature Generation Component, the CST lab must use the CAVS 14.4 to validate the IUT.
  2. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 14.4 to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through July 23, 2013.
  3. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 14.4 to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 14.4.

The CAVP will also review special conditions on a case-by-case basis.

[02-21-13] -- New release of the CAVS algorithm validation testing tool to the CST Laboratories (CAVS14.3). This version of the CAVS tool addresses minor updates:

  1. Corrected RSA summary file to correctly handle values from KeyGen 3.3 fixed key.
  2. Added FIPS 180-4 truncated SHA functions SHA-512/224 and SHA-512/256 to the Hash_DRBG, HMAC_DRBG, and Dual_EC_DRBG tests.
  3. Changed order that DRBG mechanism functions are called in tests when Prediction Resistance = False Old order:
    1. Instantiate DRBG
    2. Generate Random Bits (do not print)
    3. Reseed
    4. Generate Random Bits (print)
    5. Uninstantiate New Order:
      1. Instantiate DRBG 2. Reseed
      2. Generate Random Bits (do not print)
  4. Generate Random Bits (print)
  5. Uninstantiate The order is unchanged for Prediction Resistance = True.

The transition period ends May 21, 2013.

As has been the policy in the past:

  1. EFFECTIVE IMMEDIATELY on any new validation requests for implementations of TDES, AES, FIPS 186-2DSA, SHA, RNG, FIPS 186-2 RSA, HMAC, CCM, FIPS 186-2ECDSA, CMAC, DRBG 800-90A, Key Agreement Scheme (KAS) FFC, KAS ECC, GCM 800-38D, FIPS186-3 DSA, FIPS186-3ECDSA, FIPS186-3RSA, XTS, the ECC DLC Primitive Component, SP800-108 KDF, the KDFs in SP800-135, SHA 512/224, SHA 512/256, HMAC with SHA 512/224, HMAC with SHA 512/256, RSA Signature Generation Component testing for PKCS1.5 and/or PKCS PSS, and/or the ECDSA2 Signature Generation Component, the CST lab must use the CAVS 14.3 to validate the IUT.
  2. For any algorithm validation request where a lab has used a version of CAVS prior to CAVS 14.3 to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through May 21, 2013.
  3. If there are any validation requests where a lab has used a version of CAVS prior to CAVS 14.3 to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS 14.3.

The CAVP will also review special conditions on a case-by-case basis.

 

Created October 05, 2016, Updated September 13, 2019