atsec is proud to present support for the NIST ACVP testing framework which replaces the legacy NIST CAVS testing. Cryptographic algorithm validation program (CAVP) testing is required for cryptographic modules undergoing conformance testing and validation according to the FIPS 140-2 specification. It is also required for Common Criteria evaluations performed in accordance with the NIAP Common Criteria Evaluation and Validation Scheme.
The Automated Cryptographic Validation Protocol
(ACVP) is a network protocol for which NIST provides a server using the protocol which produces test vectors, validates responses and, in the case of successful validation, issues certificates that can be used in support of the Cryptographic Module Validation Program’s (CMVP) FIPS 140-2 conformance validations, and Common Criteria evaluations performed under the Common Criteria Evaluation and Validation Scheme (CCEVS) operated by the National Information Assurance Partnership (NIAP).
atsec has developed two tools that provide flexible client-support to access the NIST ACVP server:
- The ACVP Proxy connects to the NIST ACVP server to request test vectors, store them locally, return locally stored test responses to the ACVP server and obtains the final verdict. The ACVP Proxy is a highly threaded system capable of parallel downloads of thousands of test vectors. At the moment, the threading is artificially limited to 32 threads to control the impact on the ACVP development and testing server.
- The ACVP Parser picks up the test vectors retrieved from the ACVP Proxy, invokes the cryptographic module under test to generate the test responses for the ACVP Proxy. The ACVP Parser includes all specific test vector handling including the Monte-Carlo Testing which commonly causes concerns with developers.
Both components handle test vectors and test responses as files which are stored in a database allowing the maintenance of tens of thousands of test vectors. Further, the clear separation between the two components allow the complete isolation of the test infrastructure with the cryptographic module from the Internet.
atsec publishes both components as Open Source available at GitHub under a BSD license. The provided code is a clean C99 implementation which allows the compilation on all environments providing a POSIX API. This includes Linux, BSDs, macOS, iOS, Android, Solaris, AIX, Windows with the POSIX interface and other operating systems. This is demonstrated by atsec with an iOS app of the ACVP Parser that executes the iOS CoreCrypto library considering the atsec development environment is Linux.
The ACVP Proxy and ACVP Parser are highly flexible by providing a plug-in framework to support different cryptographic modules. To add a new cryptographic module support to the ACVP Parser, the interface invoking the cryptographic module API must be implemented. The remaining parsing and unparsing code can be left unchanged. Similarly, the ACVP Proxy only requires additional cipher definitions specifying the supported cryptographic algorithms of the tested module. To obtain the same test vectors for one cryptographic module executing on different platforms, an ACVP Proxy configuration file only needs updating.
The Open Source release of the ACVP Proxy and ACVP Parser currently offers support for OpenSSL and the hash and HMAC support used by the ACVP Proxy. With these plugins, atsec developed full support for the following cryptographic modules that can be fully tested with the ACVP server and are available to atsec customers:
- OpenSSL
- Linux Kernel Crypto API
- GnuTLS
- libgcrypt
- libkcapi
- Nettle
- NSS
- Generic PKCS11 tokens
- OpenSSH
- Libreswan
- Strongswan
- WPA Supplicant part of the hostapd software
- ACVP Proxy hash and HMAC implementation
- Apple macOS, iOS, tvOS, and watchOS Core Crypto library
- Apple macOS, iOS, tvOS, and watchOS Common Crypto library
- libsodium
- libnacl
Support for additional cryptographic modules can be developed by atsec with reasonable effort.
During the development of the ACVP Proxy and ACVP Parser, atsec supported the NIST ACVP development team to a large extent. The ACVP server data is tested with all of the cryptographic implementations mentioned above. During the development process, atsec provided numerous improvement suggestions and bug reports to NIST. atsec is committed to the future development and maintenance of the ACVP Proxy and ACVP Parser.