Search CSRC

AES Implementations have been validated as conforming to the Advanced Encryption Standard (AES) Algorithm, as specified in Federal Information Processing Standard Publication 197, Advanced Encryption Standard, using the tests found in the Advanced Encryption Standard Algorithm Validation Suite (AESAVS). CCM Implementations have been validated as conforming to the Counter with Cipher Block Chaining-Message Authentication Code (CCM), as specified in Special Publication 800-38C, using tests described in the CCM Validation System (CCMVS). Component...

Algorithm Specifications Algorithm specifications for current FIPS-approved and NIST-recommended block cipher algorithms are available from the Cryptographic Toolkit. Current testing includes the following algorithms: AES TDES Skipjack Algorithm Validation Testing Requirements Block Ciphers   Advanced Encryption Standard Algorithm (AES) The Advanced Encryption Standard Algorithm Validation System(AESAVS) specifies validation testing requirements for the ECB(Electronic Codebook), CBC (Cipher Block Chaining), OFB (Output Feedback), CFB (Cipher Feedback) and CTR (Counter) modes for...

Algorithm Specifications Algorithm specifications for current FIPS-approved and NIST-recommended block cipher modes are available from the Cryptographic Toolkit. Current testing includes the following block cipher modes: CMAC (SP 800-38B) XTS-AES (SP 800-38E) CCM (SP 800-38C) KW / KWP / TKW (SP 800-38F)(Key Wrap using AES and Triple-DES) GCM / GMAC / XPN (SP 800-38D and CMVP Annex A)     For testing...

Algorithm Specifications Algorithm specifications for current FIPS-approved and NIST-recommended digital signature algorithms are available from the Cryptographic Toolkit. Current testing includes the following algorithms: DSA | ECDSA | RSA (in FIPS 186-4) DSA | ECDSA | RSA (in FIPS 186-2) Algorithm Validation Testing Requirements FIPS 186-4 Digital Signature Algorithm (DSA) Digital Signature Algorithm Validation System (DSA2VS) specifies validation testing requirements for the DSA algorithm in FIPS 186-4. Testing Notes Prerequisites for DSA...

Algorithm Specifications Algorithm specifications for Key-Based KDFs (SP800-108) are available from the Cryptographic Toolkit. Algorithm Validation Testing Requirements The algorithm validation testing requirements for SP 800-108 are specified in: The SP800-108 Key Derivation Function Validation System (KBKDFVS). Testing Notes Prerequisites for KBKDF testing are listed in the CAVP Frequently Asked Questions (CAVP FAQ) General Question GEN.5. As of 1-1-2016, TDES KO2 encrypt is no longer compliant. (See SP800-131A Revision 1.) Test Vectors Use of these test vectors does not...

Algorithm Specifications Algorithm specifications for Key Agreement Schemes and Key Confirmation (SP800-56A) are available from the Cryptographic Toolkit. Algorithm Validation Testing Requirements The algorithm validation testing requirements for SP 800-56A are specified in: The KAS Validation System (KASVS) Testing Notes Prerequisites for KAS testing are listed in the CAVP Frequently Asked Questions (CAVP FAQ) General Question GEN.5. Test Vectors Use of these test vectors does not replace validation obtained through the CAVP. The test vectors linked below can be used...

Algorithm Specifications Algorithm information is available from the Cryptographic Toolkit page. Algorithm Validation Testing Requirements The algorithm validation testing requirements for FIPS 198-1 are specified in: The Keyed-Hash Message Authentication Code (HMAC) Validation System (HMACVS). Testing Notes Prerequisites for HMAC testing are listed in the CAVP Frequently Asked Questions (CAVP FAQ) General Question GEN.5. Test Vectors Use of these test vectors does not replace validation obtained through the CAVP. The test vectors linked below can be used to informally verify the...

Algorithm Specifications Algorithm specifications for current FIPS-approved and NIST-recommended random number generators are available from the Cryptographic Toolkit. Current testing includes the following algorithm: DRBG (SP 800-90A) Algorithm Validation Testing Requirements Deterministic Random Bit Generators (DRBG) The DRBG Validation System (DRBGVS) specifies validation testing requirements for the DRBG algorithm in SP800-90A . Testing Notes Prerequisites for DRBG testing are listed in the CAVP Frequently Asked Questions (CAVP FAQ) General Question GEN.5. Test Vectors...

Algorithm Specifications Algorithm specifications for current FIPS-approved and NIST-recommended secure hashing algorithms are available from the Cryptographic Toolkit. Current testing includes the following algorithms: SHA-1 and SHA-2 Hash functions: SHA-1 SHA-224 SHA-256 SHA-384 SHA-512 SHA-512/224 SHA-512/256 (in FIPS 180-4) SHA-3 Hash functions: SHA3-224 SHA3-256 SHA3-384 SHA3-512 and XOFs: SHAKE128 SHAKE256 (in FIPS 202) Algorithm Validation Testing Requirements   FIPS 202, "SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions" Secure Hash Algorithm-3...

Algorithm Specifications Beginning in 2011, validation testing of individual algorithm components was made available. Many situations exist where the specifications of an algorithm standard are implemented in multiple cryptographic boundaries. For example, PIV Smartcard applications may implement one part of an algorithm on the smartcard and another part of the algorithm on the smartcard reader. Possible reasons for implementing an algorithm this way is processing limitations or size constraints. In this situation, the algorithm validation testing of the complete algorithm can't be utilized...

Retired Algorithms And Algorithm Components Current retired testing includes the following algorithms and references: DES Data (Message) Authentication Code (MAC) and Key Management Using ANSI X9.17 Message Authentication Code (MAC), FIPS 113 Key Management Using ANSI X9.17, FIPS 171 Algorithms and/or Algorithm Components as detailed in SP800-131A Revision 1 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths RNG (FIPS 186-2 with Change Notice 1 dated October 5, 2001 (Appendix 3.1 and 3.2), ANSI X9.31 (Appendix A.2.4) and ANSI...

In order to perform FIPS 140 conformance testing, a laboratory must become an accredited CST laboratory under the National Voluntary Laboratory Accreditation Program (NVLAP). A list of current labs may be found by visiting National Voluntary Laboratory Accreditation Program (NVLAP) / Directory Search and under the "Program" drop-down select “ITST: Cryptographic and Security Testing”. Module testing results produced by an accredited CST laboratory can then be submitted to the CMVP in order to seek FIPS 140 module validation. CST labs and NIST each charge fees for their respective parts of the...

All questions regarding the implementation and/or use of any validated cryptographic module should first be directed to the appropriate VENDOR point of contact (listed for each entry).   SEARCH our database of validated modules. The validated modules search provides access to the official validation information of all cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program as meeting requirements for FIPS 140-1, FIPS 140-2, and FIPS 140-3. The search results list all issued validation certificates that meet the supplied search criteria and...

DISCLAIMER: The Cryptographic Module Validation Program (CMVP) Modules In Process and Implementation Under Test (IUT) Lists are provided for information purposes only. Participation on the list is voluntary and is a joint decision by the vendor and Cryptographic Security and Testing (CST) laboratory. Modules are listed alphabetically by vendor name. Posting on the list does not imply guarantee of final validation. The MIP and IUT lists have been updated. Each entry now indicates whether it being tested to meet FIPS 140-2 or FIPS 140-3 requirements.   The status of each cryptographic module...

2022 [03-14-2022] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program has been updated. Updated Guidance: G.13 Instructions for Validation Information Formatting – Added the following entry: “CVL (vendor affirmed)”, per IG G.20. G.20 Tracking the Component Validation List – Added vendor affirmation of a SRTP KDF implementation. [02-14-2022] Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program has been updated. Updated Guidance: 1.23 Definition and Use of a non-Approved Security Function - Added...

CMVP FIPS 140-2 Management Manual (updated 09-09-2021) The purpose of the CMVP Management Manual is to provide effective guidance for the management of the CMVP, and the conduct of activities necessary to ensure that the standards are fully met. The CMVP Management Manual describes the CMVP process and is applicable to the CMVP Validation Authorities, the CST Laboratories, and the vendors who participate in the program. Consumers who procure validated cryptographic modules may also be interested in the contents of this manual. This manual outlines the management activities and specific...

Below are the resources provided by the CMVP for use by testing laboratories and vendors. [10-22-2019]  IG G.19.2 Hardware Equivalency Table This table is used as an additional resource to IG G.19 Operational Equivalency Testing for HW Modules.    

FIPS 140-3 Logo Usage and Application What are the official FIPS 140-3 validated product logos?  or  For validated products, the logo must be accompanied by the "FIPS 140-3 Validated" and the certificate number. If a product has a FIPS 140-3 module internal to the product, "FIPS 140-3 Inside" and the certificate number must also accompany the logo. The FIPS 140-3 logo is a Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments. What are the guidelines for the use of the FIPS 140-3 logo?  Both phrases "FIPS 140-3 Validated" and...

2018 Notices [11-30-2018]  CMVP Validation Policy The CMVP has a long history of performing validations that show conformance to the FIPS 140-2 standard on any cryptographic module from anywhere in the world regardless of country of origin and/or company.  The US Government passed the National Defense Authorization Act (NDAA) for Fiscal Year 2019 on 13 Aug 2018, which contains language that restricts federal agencies from engaging in business with certain named companies.  US government agencies will be held accountable to ensure that they are not doing business with the companies...

The Importance of Usable Cybersecurity While tradeoffs between cybersecurity and usability do occur, we challenge the notion that security and usability cannot coexist and assert that they indeed must coexist. Computers can be theoretically secure but so unusable that they do not improve security because users will circumvent the security measures. The opposite is true as well; systems that are easy to use and not secure are eventually unusable when they fall prey to cyber attacks via techniques such as phishing, viruses, and botnets. What We Do We conduct research at the intersection of...

JANUARY 2022 Hacker Valley Studios Podcast: Cybersecurity Advocates   OCTOBER 2021 Cybersecurity Awareness Month: Fight the Phish   AUGUST 2021   NIST Study on Kids’ Passwords Shows Gap Between Knowledge of Password Best Practices and Behavior     Staff Spotlight: NIST’s Human Factors Scientist   MAY 2021 Blog - Security Awareness Training for the Workforce   OCTOBER 2020 Podcast - The Phish Scale. A new method for training employees   Cybersecurity Awareness Month: Securing Devices at Home and Work   SEPTEMBER 2020 The Phish Scale: NIST-Developed...

The usability principles of efficiency, effectiveness, and user satisfaction must be incorporated into cybersecurity practices and technologies to ensure that it is easy for users to do the right thing, hard to do the wrong thing, and easy to recover when the wrong thing happens anyway. To achieve this objective, we work on research projects that: lead to the development of usable security metrics facilitate the integration of usability principles into security processes and product design identify approaches for aligning user goals with overarching national and organizational security...

Topics: Authentication Cryptography Cybersecurity Adoption and Awareness Internet of Things Methodologies Phishing Privacy Usable Security (general) User Perceptions & Behaviors Youth Security Legend: Papers    Presentations    Videos     Research Posters  Authentication  Authentication Diary Study Report: Authentication Diary Study  – Michelle P. Steves & Mary F. Theofanos. NISTIR 7983 (2014) Digital Identity Guidelines Digital Identity Guidelines: Enrollment and Identity Proofing Requirements  – Paul Grassi, James Fenton, Naomi Lefkovitz, Jamie Danker, Yee-Yin Choong,...