Re: JSS API for FIPS Self Tests

Thu, 15 Jan 2009 11:05:11 -0800 

ksreedha...@gmail.com wrote:

On Jan 14, 10:21 am, Glen Beasley <glen.beas...@sun.com> wrote:

Sreedhar Kamishetti wrote:


Hello,
I just started looking at JSS. Can some one point me to the API provided by JSS for running Power Up 
and Conditional Self Tests for various cryptographic modules/algorithms?

JSS is a JAVA interface to NSS; basically a JNI wrapper for NSS. JSS in
FIPS mode or Non-FIPS mode does not do any crypto
at the java layer and instead, via JNI calls, requests NSS to perform
the cryptographic operations.

Thus the PowerUp and Conditional Self Test are in 
NSS.http://mxr.mozilla.org/security/source/security/nss/lib/softoken/fips...

The PowerUp tests will be performed when NSS is initialized in FIPS mode.

Java application using JSS are said to be FIPS compliant by either
loading NSS in FIPS mode
or using the JSS provided methods to put NSS in FIPS mode. As with C
applications that want to
be FIPS compliant, Java applications using JSS loading (NSS in FIPS
mode) must adhere to
the "Security Rules" specified in the NSS security policy:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf

Some Related links:https://wiki.mozilla.org/FIPS_Validation
Sample test 
program:http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/t...

-glen




Thanks Glen for the reply. I understood that NSS takes care of Self
Tests. But FIPS require on demand tests also right. So, I wondering is
there an easy way to trigger these tests.
Shutting down and restarting the application satisfies the requirement to execute power-up self-tests on demand by the user as defined in Section 4.9.1 of FIPS 140-2 . Each time you launch your java app and initialize JSS, it can 
load NSS in FIPS mode and run the power up self tests.
"In addition to performing the power-up tests when powered up, a cryptographic module shall permit operators to initiate the tests on demand for periodic testing of the module. Resetting, rebooting, and power cycling are acceptable means for the on-demand initiation of power-up tests. " 

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

-glen


Thanks,
Sreedhar
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto



_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to