On 1/19/09 6:30 PM, ksreedha...@gmail.com wrote:
On Jan 15, 10:53 am, Glen Beasley<glen.beas...@sun.com> wrote:
ksreedha...@gmail.com wrote:
On Jan 14, 10:21 am, Glen Beasley<glen.beas...@sun.com> wrote:
Sreedhar Kamishetti wrote:
Hello,
I just started looking at JSS.
Can some one point me to the API provided by JSS for running Power Up
and Conditional Self Tests for various cryptographic modules/algorithms?
JSS is a JAVA interface to NSS; basically a JNI wrapper for NSS. JSS in
FIPS mode or Non-FIPS mode does not do any crypto
at the java layer and instead, via JNI calls, requests NSS to perform
the cryptographic operations.
Thus the PowerUp and Conditional Self Test are in NSS.http://mxr.mozilla.org/security/source/security/nss/lib/softoken/fips...
The PowerUp tests will be performed when NSS is initialized in FIPS mode.
Java application using JSS are said to be FIPS compliant by either
loading NSS in FIPS mode
or using the JSS provided methods to put NSS in FIPS mode. As with C
applications that want to
be FIPS compliant, Java applications using JSS loading (NSS in FIPS
mode) must adhere to
the "Security Rules" specified in the NSS security policy:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
Some Related links:https://wiki.mozilla.org/FIPS_Validation
Sample test
program:http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/t...
-glen
Thanks Glen for the reply. I understood that NSS takes care of Self
Tests. But FIPS require on demand tests also right. So, I wondering is
there an easy way to trigger these tests.
Shutting down and restarting the application satisfies the requirement
to execute power-up self-tests on demand
by the user as defined in Section 4.9.1 of FIPS 140-2 . Each time you
launch your java app and initialize JSS, it can
load NSS in FIPS mode and run the power up self tests.
"In addition to performing the power-up tests when powered up, a
cryptographic module shall permit
operators to initiate the tests on demand for periodic testing of the
module. Resetting, rebooting, and power
cycling are acceptable means for the on-demand initiation of power-up
tests. "
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
-glen
Thanks,
Sreedhar
_______________________________________________
dev-tech-crypto mailing list
dev-tech-cry...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto- Hide quoted text -
- Show quoted text -- Hide quoted text -
- Show quoted text -
Thanks Glen. How about the RNG continuous tests?
In the FIPS Approved mode of operation, the NSS softoken cryptographic
module shall perform a
continuous random number generator test upon each invocation of the
pseudorandom number generator as defined in Section 4.9.2 of FIPS 140-2.
When the NSS softoken module is in FIPS mode and the Java application
calls various JSS methods such as:
PK11SecureRandom rng = new PK11SecureRandom();
or Secure-Random random = SecureRandom.getInstance("pkcs11prng",
""Mozilla-JSS");
or if you created asymetric keys such as RSA or DSA
KeyPairGenerator.getInstance("RSA", "Mozilla-JSS");
etc
The NSS softoken module in FIPS would run RNG continuous test appropriately.
Also, how can we get
the states of Finite state model of the cryptographic modules of NSS
from JSS as required by FIPS.
FIPS 140-2 requires that module itself be specified using a finite state
(or equivalent) represented by a state transition diagram
and/or a state transition table.
NSS is a collection of software libraries; the actual NSS cryptographic
FIPS boundary is the API based PKCS #11 version 2.20
that is exposed by the NSS libraries softoken/freebl as specified in the
Security Policy:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp814.pdf
Please read the security policy for a certain level of user
understanding is required for FIPS compliance.
For application that want to maintain FIPS compliance they need to
adhere to the Security Rules specified in the the Security Policy.
The state transition table is defined in the Specification of Services
section of the Security Policy.
state transition diagram: https://wiki.mozilla.org/FIPSFSM#States
JSS should be view as an API layer that can be used to interface with
NSS softoken module in FIPS mode. JSS/high level NSS api will make the
appropriate call when the module is in FIPS MODE and has logic to
respond to the various states of the module appropriately.
If the module is not in the correct state the higher level api may then
re-interpret the PKCS#11 error such as "CKR_USER_NOT_LOGGED_IN" returned
by NSS softoken Module in FIPS mode and then the JSS layer would prompt
for the NSS FIPS User password. If the module is in FIPS mode with the
user logged in successfully and then the application asks for the key
data JSS would report NotExtractableException.
So JSS layer adheres to the Finite states of the NSS softoken
cryptographic module.
State Mnemonic - Power Up Self Test completed in FIPS MODE
To ensure the Power Up Self tests were run successfully when JSS
initialized NSS the java/jss application needing FIPS compliance should
check that NSS softoken module is in FIPS mode by calling the
method CryptoManager.FIPSEnabled() and checking for "true".
State Mnemonic - FIPS MODE Public Services - That require no user log in
Operations such as random number generation and hashing will be allowed
which does not affect the security of the module because it does not
require access to the secret and private keys and other CSPs associated
with the user.
State Mnemonic - FIPS MODE NSS User Services - "Operator has
successfully logged in to assume the NSS User role"
All services can be invoked.
State Mnemonic - FIPS MODE Module error
The FIPS Approved mode of the NSS cryptographic module either has failed
a conditional test while performing a service or has failed a power-up
or operator-initiated self-test. No further cryptographic operations
will be performed. JSS will report error.
Thanks,
Sreedhar
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
