NIST plans to offer a separate validation program apart from FIPS 140 to cover entropy sources: the ESV (Entropy Source Validation) program (hereafter ESVP). As part of the new validation effort, NIST recently launched an automated system to upload the required information in a structured manner: the Entropy Source Validation (ESV) server.
The protocol to interact with this server is provided at a public Github repository:
https://github.com/usnistgov/ESV-Server.
The ESV server has a similar concept as the already used server for Automated Cryptographic Verification Testing System (ACVTS). A “demo” server is available allowing users to verify that their ESV client works, verify that data from the entropy source matches NIST’s expectations and in general become familiar with the ESV testing system. The demo server, however, cannot be used to upload data that will be considered as part of an ESV program. To result in an ESV certificate, the “production” ESV server must be used. It is technically identical to the “demo” server. It only differs in the aspect that the uploaded entropy data is the official test data and the test result contributes to a verdict of an ESV submission.
The ESV demo server has been available for some time but received several updates lately to bring it into a state that is required for performing validation tasks. NIST now considers the ESV demo server to be ready such that its companion of the ESV production server can be enabled as well. Starting from March 28, NIST accepts applications for access credentials to the ESV production server.
atsec successfully implemented an ESV client that was used to perform a full cycle on the ESV demo server. This qualifies atsec to gain the credentials to access the ESV production server. Furthermore, atsec dedicated two subject matter experts for the ESV related test which implies that atsec is well positioned to offer the ESV services to customers.
To demonstrate atsec’s knowledge and expertise in the area of ESVP, we plan to take a project through the ESV program once NIST starts accepting the submissions.
Once again, atsec is at the forefront of new developments to provide necessary and requested services to our customers. The ESVP enables the entropy sources to be tested and validated independent of the cryptographic module validation program for FIPS 140 certificates. Just like the CAVP certificate, an ESVP certificate may be required and shall be referenced in a CMVP FIPS certificate as the respective entropy source is used by the cryptographic module. This is welcome news to vendors who are eager to pursue CAVP certificates. Obtaining ESVP certificates in parallel with the CMVP certificates will shorten the overall validation time and allow the re-use of the ESVP certificates in multiple CMVP validations when the same entropy source is shared.