UPDATE: The CMVP will publish an updated IG G.18 in November 2019 extending the Effective Date to “Two Months After ACVP Transition Date.”
Instead of the current transition happening on January 1, 2020, the new transition will likely occur in Q2 or Q3 of 2020. (September 1, 2020 is our current prediction.)
If your FIPS 140-2 module includes any FIPS 186-2 algorithms (other than signature verification), then you must take action to avoid the CMVP’s historical list (aka “Do Not Buy List” for Federal Agencies).
As a reminder, the following statement is published on the CMVP website:
If a validation certificate is marked as historical, Federal Agencies should not include these in new procurement.
Implementation Guidance for FIPS 140-2, G.18 Limiting the Use of FIPS 186-2, details the CMVP’s position.
Q1: What’s the TL;DR version of IG G.18?
A: FIPS 186-4 was published years ago. CMVP declared FIPS 186-2 dead. Action is required to keep FIPS 140-2 modules with FIPS 186-2 algorithms (other than signature verification) on the active list after the IG G.18 transition date. FIPS 186-2 RSA KeyGen and SigGen are the most likely algorithms to force modules on the historical list.
(EDIT: IG G.18 is just two pages so it is worth reading.)
Q2: How do I avoid the historical list for my FIPS module?
A: For Level 1 or 2 modules, your FIPS 140-2 Security Policy needs updates to list FIPS 186-2 RSA key generation and signature generation as non-approved algorithms. We believe that the CAVP will automatically remove all FIPS 186-2 algorithms (except signature verification) from your CAVP certificates.
If your module is Level 3 or 4, then the process gets more involved. Contact KeyPair Consulting, your FIPS consultant, or your FIPS lab for help.
Q3: I am using one of the OpenSSL FIPS Object Modules (FIPS 140-2 Certs. 1747, 2398, 2473); what do I do?
A: Do not panic. There are options for you. You may switch to a compatible FIPS module (see Q4). You may decide to switch to another cryptographic module that includes FIPS 186-4 RSA KeyGen/SigGen. Or, you can try to ride it out using a module on the historical list (not recommended). Or, you can contact KeyPair Consulting to determine all your options (recommended).
Q4: Are there any open source FIPS 140-2 modules that I can use that are compatible with OpenSSL 1.0.2 and include FIPS 186-4 RSA KeyGen/SigGen?
A: Yes. BoringCrypto (FIPS Certs. #3318 and #2964) from Google. The KeyPair FIPS Object Module for OpenSSL (FIPS Cert. #3503) is a rebrand of Oracle’s FIPS Cert. #3335.
Q5: My product does not generate RSA keys or signatures, but the FIPS module I use supports FIPS 186-2 KeyGen/SigGen. Do I need to switch to a new FIPS module?
A: Maybe not. If the owner of the FIPS module plans to make the administrative updates to keep the module on the active list, then you will be fine. Ask your FIPS module vendor how they are meeting the requirements of IG G.18 (but don’t wait too long to ask the question).
KeyPair will keep our FIPS Cert. #3220 on the active modules list — our module is ideal for vendors that use the OpenSSL FIPS Object Module but do not make use of RSA KeyGen or SigGen. We tested the following additional configurations with our module: Android 8.1, CentOS 6, CentOS 7, and Ubuntu 16.04 LTS.
Q6: What do I tell my customers that are using a FIPS module that is about to be placed on the historical list?
A: Your installed base of customers will continue to use a validated FIPS 140-2 module after the IG G.18 transition date, so they will not need to make a change until the module is revoked (this will happen after the module’s sunset date has passed). New customers should not procure products with FIPS modules on the historical list.
Keep your Sales Teams and customers happy by acting soon to offer products with active FIPS 140-2 modules in 2020.
KeyPair Consulting provides expert guidance to meet your FIPS 140 goals