FIPS: Legacy Mix-Up

An Update on IG G.18 and the Transition from 186-2

19 December 2019

Recently, the Cryptographic Module Validation Program (CMVP) sent out a set of revisions to its Implementation Guidance (IGs) for review. Implementation Guidance G.18, "Limiting the Use of FIPS 186-2," is to extend the use date of FIPS 186-2 to mirror the Automated Cryptographic Validation Protocol (ACVP) effective date, July 1, 2020. At that time, using the Automated Cryptographic Validation Testing System (ACVTS) will be the only means of obtaining algorithm certificates.

The Cryptographic Algorithm Validation Program (CAVP) has disallowed FIPS 186-2 capabilities for RSA for the non-approved for use key sizes 1024 and 1536 for both key and signature generation. On September 1, 2020, the CMVP will place on the historical list modules that were CAVP tested for FIPS 186-2 RSA signature generation (SigGen) and key generation (KeyGen). If SigGen is tested with only a 4096-bit modulus, then the implementation will not be moved to the historical list.  The testing is regarded as an additional assurance. For modules implementing only 186-2 functionality, it means the RSA, DSA and ECDSA algorithms will be moved to the historical list so that functionality can no longer be claimed by the module after the deadline.

If a module is at risk of moving to the historical list due to this transition, the IG allows for ways to return it to the active list. Methods range from documentation changes and administrative updates sent to the CMVP, to new testing performed under the ACVP, to actual module changes and retesting.

This implementation guidance allows algorithm testing of signature verification implementations for their compliance with FIPS 186-2 for legacy purposes.  We recommend that all modules implementing RSA, DSA or ECDSA using FIPS 186-2 transition the algorithms to be compliant with FIPS 186-4.

Learn more about FIPS 140 and our cybersecurity expertise.

 

Richard Adams,
Cryptographic and Security Testing Lab Manager

 

Richard Adams began work for Intertek EWA-Canada in 2009 as a Security Content Automation Protocol (SCAP) Tester and quickly moved into the role of Lead Tester.  He trained and assisted in various other areas within the company, such as Cryptographic Module Validation (FIPS 140-2) testing; Common Criteria (CC) testing; Personal Identification Verification (PIV) testing; Visa Ready Program for Mobile Point of Sale (Visa mPOS) testing; and Certificate Authority (CA) Activities during this time.  He was later promoted to the role of CST Lab Manager. 

 

Dawn Adams,
Senior IT Security Specialist

 

Dawn Adams has been with Intertek EWA-Canada for more than 13 years.  She has been involved with the FIPS program for 21 years; she was a Lab Manager for 9 years.  She has worked in and was a Manager in the Common Criteria, PCI, PIV and SCAP workspaces as well. She is currently an IT Security Specialist working mainly in Common Criteria and auditing.