Key Agreement Schemes

As the Cryptographic Module Validation Program (CMVP) prepares for the transition to automated algorithm testing, more and more algorithms are being subjected to the testing process.

Testing for the key agreement schemes specified in NIST Special Publication (SP) 800-56A is currently under development. Once available, FIPS 140-2 validated modules that implement those schemes will be required to comply with revision 3 of that recommendation and will be required to undergo algorithm testing. Modules that include untested implementations will be transitioned to the Historical List on January 1, 2022.

Further Details

Cryptographic Algorithm Validation Program (CAVP) testing was limited as outlined within NIST SP 800-56A, as such, Vendors were allowed to use the Diffie-Hellman and Elliptic Curve Diffie-Hellman key scheme agreements as “Non-Approved but allowed” algorithms. As the program has evolved, new guidance specified within SP 800-56A rev3 indicates Vendors will no longer be allowed to use the schemes as “non-Approved but allowed”, but instead must submit “Vendor Affirmation”, which requires substantial work, including code review.

Moreover, ACVT testing (the newly adopted form of automated algorithm testing) is under development for rev3. Once completed, that “Vendor Affirmation” will no longer be accepted.

Once testing is available, modules that include implementations to the old standard AND implementations that are vendor-affirmed will all be moved to the Historical List.

Solution

Contact Corsec to discuss your resolution path and determine if you need to take action for your validation.