NVLAP and Cryptographic Testing

The National Voluntary Laboratory Accreditation Program (NVLAP) handles lab and testing requirements for several categories of products and services, several within cybersecurity. One of the most important categories is cryptographic testing and validation. 


NVLAP and Cryptographic Testing

One of the testing and validation programs managed by the NVLAP is one related to cryptographic modules as outlined by the National Institute of Standards and Technology (NIST). To align lab standards with technical requirements, NVLAP defers its standards for lab testing to two different programs–namely, the Cryptographic Algorithm Validation Program (CAVP) and the Cryptographic Module Validation Program (CMVP). 

NIST requires that cryptographic modules be tested and validated along specific guidelines to ensure they protect data sufficiently. NVLAP (along with CAVP and CMVP) ensures that testing facilities can adequately test for the various requirements throughout the NIST specification.

Why do cryptographic modules need to be tested? At a minimum, they must be:

  • Sufficiently Complex: Modules must provide sufficiently complex obfuscation such that it is impossible that a hacker can break the encryption without having the appropriate decryption key.
  • Tamer-Resistant: A cryptographic module isn’t secure if hackers can change the parameters in the module itself. As such, these modules must have ways to ensure the security and integrity of code, hardware, and firmware equally.
  • Well-Protected: Validated cryptographic modules must have secure ways to generate, secure, and replace/destroy encryption keys. A compromised key will essentially ruin the security potential of a module, so modules must maintain the functionality that can protect these keys.


What Is the Cryptographic Algorithm Validation Program (CAVP)?


CAVP is the testing program that addresses minimum security requirements for the encryption algorithms used inside modules. Because there are several different algorithms, each accomplishing a different task or function, several relevant testing approaches are based on each category. Additionally, because NIST uses a standardized set of approved algorithms, it only tests for those particular systems.

The current algorithm tests include:

  • Block Ciphers: Block cipher algorithms, as the name suggests, encrypt data in a “block” of a predetermined length. Currently, CAVP tests Advanced Encryption Standard (AES), Triple Data Encryption Standard (DES), and Skipjack (for decryption only). This testing category includes evaluations for basic encryption modes such as ECB, CBC, CFB, and OFB.
  • Block Cipher Modes: Additional, advanced modes of block cipher encryption. These include Counter with Cipher Block Chaining (CCM), Block Cipher-Based Authentication Code (CMAC), Galois/Counter Mode (GCM), GCM Message Authentication, and GCM-AES-XPM.
  • Digital Signatures: CAVP tests Digital Signature Algorithm (DSA), Elliptic Curve DSA, and RSA signature methods. Furthermore, testing covers requirements for FIPS 186,  “Digital Signature Standard” versions two and four.
  • Key Derivation Functions: CAVP tests Key Derivation Functions (namely, Key-Based KDF) along requirements outlined in NIST SP 800-135.
  • Key Management: Algorithms must be tested to ensure that keys for encryption agree with algorithms (to ensure that third parties do not influence key creation) and that the key scheme (public or private) works as intended to protect secrets from unwanted parties. 
  • Message Authentication: CAVP includes testing for the authentication of hashing algorithms, specifically Hash Message Authentication Code (HMAC) as defined in FIPS 198-1.
  • Random Number Generation: Random number generation is crucial for sufficiently complex and randomized encryption schemes. CAVP includes testing specifics for Deterministic Random Bit Generators (DRBG) to meet requirements in NIST SP 800-90A.
  • Secure Hashing: This testing category validates a one-way hashing algorithm, namely Secure Hash Algorithm (SHA) 1, SHA-2, and SHA-3, as defined in FIPS 180-4 and FIPS 202.
  • Component Testing: Along with testing algorithms as a whole, CAVP will also test algorithm components to ensure that specific functions are working appropriately. This includes algorithm primitives for generating signatures or encrypting and decrypting blocks. 


What Is the Cryptographic Module Validation Program

In addition to testing encryption algorithms, NIST also supports the CMVP program to test and validate comprehensive modules (which may include the algorithm, other software, hardware, etc.). 

The CMVP process functions as a larger flow chart where a vendor-specific module is tested and verified by an accredited Cryptographic and Security Testing (CST) lab. The process, broadly, follows a few steps:

  1. Submission of Module: A vendor submits the module to the accredited CST lab (following testing requirements set by the CMVP program and NVLAP lab management and testing standards. 
  2. Testing: The lab creates a set of Derived Test Requirements (DST) based on the components and function of the module. These DSTs are derived from requirements spelled out in FIPS 140. Once testing is complete, the lab creates a cryptographic module test report and submits it to the CMVP.
  3. Validation: Validation can be an interactive process. If the vendor’s module does not meet testing standards, the CMVP can coordinate comments between the lab and the vendor and restart the testing process. The module is confirmed into the FIPS 140 standard if it passes inspection. 
  4. Listing: Validated and the NIST lists in-process modules to help agencies and developers trust the cryptographic modules that they use. 


Utilize Proper Cryptography Standards with Continuum GRC

With the evolving set of cyber threats and vulnerabilities, it’s essential to have strong encryption spearheading security. That’s why the developers and the end-users of cryptographic technologies need to understand standards, requirements, and validation processes. 

Continuum GRC is a cloud platform that can take something as routine and necessary as regular vulnerability scanning and reporting under FedRAMP and make it an easy and timely part of business in the public sector. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

  • FedRAMP
  • StateRAMP
  • NIST 800-53
  • FARS NIST 800-171
  • CMMC
  • SOC 1, SOC 2
  • PCI DSS 4.0
  • IRS 1075
  • ISO 27000 Series
  • ISO 9000 Series

And more. We are the only FedRAMP and StateRAMP Authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.


Continuum GRC