[Federal Register Volume 77, Number 169 (Thursday, August 30, 2012)]
[Notices]
[Pages 52692-52693]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-21461]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 070321067-2100-03]
NIST Federal Information Processing Standard (FIPS) 140-3 (Second
Draft), Security Requirements for Cryptographic Modules; Request for
Additional Comments
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice and Request for Comments.
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST)
seeks additional comments on specific sections of Federal Information
Processing Standard 140-3 (Second Draft), Security Requirements for
Cryptographic Modules, to clarify and resolve inconsistencies in the
public comments received in response to the Federal Register (74 FR
91333) notice of December 11, 2009. The draft standard is proposed to
supersede FIPS 140-2.
DATES: Comments must be received on or before October 1, 2012.
ADDRESSES: Written comments may be sent to: Chief, Computer Security
Division, Information Technology Laboratory, Attention: Dr. Michaela
Iorga, 100 Bureau Drive, Mail Stop 8930, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930. Electronic
comments may also be sent to: [email protected], with a Subject:
``Additional Comments-FIPS 140-3 (Second Draft).''
The current FIPS 140-2 standard can be found at: http://csrc.nist.gov/publications/PubsFIPS.html.
FOR FURTHER INFORMATION CONTACT: Dr. Michaela Iorga, Computer Security
Division, 100 Bureau Drive, Mail Stop 8930, National Institute of
Standards and Technology, Gaithersburg, MD 20899-8930, Telephone (301)
975-8431.
SUPPLEMENTARY INFORMATION: FIPS 140-1, Security Requirements for
Cryptographic Modules, was issued in 1994 and was superseded by FIPS
140-2 in 2001. FIPS 140-2 identifies requirements for four security
levels for cryptographic modules to provide for a wide spectrum of data
sensitivity (e.g., low value administrative data, million dollar funds
transfers, and life protecting data), and a diversity of application
environments.
In 2005, NIST announced that it planned to develop FIPS 140-3 and
solicited public comments on new and revised requirements for
cryptographic systems. On January 12, 2005, a notice was published in
the Federal Register (70 FR 2122), soliciting public comments on a
proposed revision of FIPS 140-2. The comments received by NIST
supported reaffirmation of the standard, but suggested technical
modifications to address advances in technology that had occurred after
the standard had been approved. Using these comments, NIST prepared a
Draft FIPS 140-3 (hereafter referred to as the ``2007 Draft''), which
was announced in the Federal Register (72 FR 38566) for review and
comment on July 13, 2007.
Using the comments received in response to the July 13, 2007,
notice and the feedback on requirements for software cryptographic
modules obtained during the March 18, 2008, ``FIPS 140-3 Software
Security Workshop,'' NIST developed the ``Revised Draft FIPS 140-3''
(hereafter referred to as ``2009 Draft''), that was announced in the
Federal Register (74 FR 65753) on December 11, 2009. The 2009 Draft and
its Annexes and can be found at: http://csrc.nist.gov/publications/PubsDrafts.html.
The comments received in response to the December 11, 2009, request
for comments suggested either modifying requirements or applying the
requirements at a different security level. Some comments asked for
clarification of the text of the standard, and some recommended
editorial and formatting changes. None of the comments received opposed
the approval of a revised standard.
During the process of addressing the public comments received in
response to the Request for Comments published in the Federal Register
on December 11, 2009 (74 FR 65753), NIST determined that additional
feedback is required to resolve gaps and inconsistencies between the
comments for particular sections of the ``Second Draft FIPS 140-3.'' As
a result, NIST is requesting additional public comments on several
sections, as indicated below in the Request for Comments section of
this notice, to support comment resolution. Comments on any sections of
the ``Second Draft FIPS 140-3'' not identified in the Request for
Comments section will not be considered.
Request for Comments: Even though NIST has resolved a majority of
the issues raised by the public comments on the ``2009 Draft,'' NIST is
requesting additional comments only on the following sections and sub-
sections to resolve gaps and inconsistencies between the comments.
4.2.2 Trusted Channel--the comments suggested that NIST should not
mandate the implementation of a trusted channel at Security Level 3 and
[[Page 52693]]
4 for all modules. NIST is proposing deletion of the requirement, but
to allow for adequate, comparable security, is proposing the addition
of an optional ``Remote Control Capability.'' The proposed Remote
Control Capability section would specify requirements addressing the
module's ability to process logons, send service requests to, and
receive service responses from a remote module without compromising
security. If the Remote Control Capability is supported, this section
would mandate the use of a Trusted Channel at Security Level 3 and 4.
NIST would appreciate comments on the proposed approach.
4.3.1 Trusted Role--the comments raised a variety of different
concerns, reflecting different interpretations of the purpose of the
Trusted Role. To address these concerns NIST is proposing the deletion
of the Trusted Role and replacement with a Self-initiated Cryptographic
Capability, configured and activated by the Crypto Officer that would
be preserved over rebooting or power cycling of the module. The
capability would provide the module with the ability to perform
cryptographic operations including Approved and Allowed security
functions without external operator request. NIST would appreciate
comments on the proposed approach.
4.7 Physical Security--Non-Invasive Attacks--the comments received
suggest substantial changes that would either weaken or strengthen the
impact of these requirements. Comments received included stronger
security requirements for Security Level 3 and 4, making the section
mandatory for all cryptographic modules, including the Security Level
for this section as part of the overall Security Level, while other
comments suggested not addressing non-invasive attacks within the
standard. NIST would appreciate general and specific comments on the
requirements to address non-invasive attacks.
4.8.4 Sensitive Security Parameter (SSP) Entry and Output--the
comments received raised a variety of different concerns, reflecting
different interpretations of the requirements on SSPs that are entered
into or output from a module. SSP entry and output requirements depend
on whether the SSP is entered or output manually or electronically, and
whether the SSP is distributed manually or electronically. New
technologies have called into question this taxonomy of SSP entry and
output methods. NIST would appreciate comments on the most appropriate
way to categorize these methods, and the appropriate requirements for
each method.
Annex B, Section: Operator Authentication Mechanisms--the comments
received indicated that the specification for the strength of the
operator's authentication method was incomplete, particularly with
respect to biometrics. For biometric authentication, NIST proposes the
use of a Liveness Detection method associated with the Session False
Match Rate for one attempt and the Generalized False Accept Rate for
multiple attempts in one minute. NIST would appreciate comments on the
proposed approach.
Comments on sections not specifically listed in this notice will
not be considered.
Prior to the submission of the FIPS 140-3 to the Secretary of
Commerce for review and approval, it is essential that consideration is
given to the needs and views of the public, users, the information
technology industry, and Federal, State and local government
organizations. The purpose of this notice is to solicit such views on
specific sections of the ``2009 Draft.''
Authority: Federal Information Processing Standards (FIPS) are
issued by the National Institute of Standards and Technology after
approval by the Secretary of Commerce pursuant to Section 5131 of the
Information Technology Management Reform Act of 1996 and the Federal
Information Security Management Act of 2002 (Pub. L. 107-347).
E.O. 12866: This notice has been determined not to be significant
for the purpose of E.O. 12866.
Dated: August 24, 2012.
Willie E. May,
Associate Director for Laboratory Programs.
[FR Doc. 2012-21461 Filed 8-29-12; 8:45 am]
BILLING CODE 3510-13-P