2

ECIES is Elliptic Curve Integrated Encryption Scheme. Both Certicom's SecurityBuilder and RSA Data Security BSAFE provide ECIES. Both are FIPS 140 validated, and both clearly list ECIES in their data sheets.

ECIES effectively creates a stream cipher and XOR's the keystream with plaintext. That's grossly simplified, but I think it captures the essence of the Data Encapsulation Mechanism (DEM). More to the point: ECIES does not use an approved block cipher (like AES or 3-key TripleDES).

However, NIST only allows block ciphers and streaming modes of operation, like OFB and CTR; and does not offer stream ciphers.

How is ECIES available in validated libraries like SecurityBuilder and BSAFE? Or (from an offline discussion), how can ECIES be FIPS 140 validated?

1 Answers1

1

It is possible for a module to be FIPS 140 Validated and include non-validated features like ECIES. You can see multiple instances of this in various validation documents:

The trick is that to use those modules in a FIPS-compliant way, you need to only use the validated algorithms. For instance, in the BlackBerry document:

... ECIES ... encryption algorithm are supported as non FIPS Approved algorithms. In order to operate the module in compliance with FIPS, these algorithms should not be used.

This is backed up by the NIST Guidance :

NOTE2: The operator of a cryptographic module is responsible for ensuring that the algorithms and key lengths are in compliance with the requirements of NIST SP 800-131A.

So, although a module can be FIPS 140-2 validated, the onus is on the operator to ensure that how it is used is in compliance with the current standard. With that understanding, the maker of a module can include non-FIPS-validated algorithms for other purposes.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • *"The trick is that to use those modules in a FIPS-compliant way, you need to only use the validated algorithms."* - ah, that's what I was missing. In OpenSSL and Crypto++, the non-validated algorithms are removed. –  Apr 17 '15 at 18:32
  • *" ... the maker of a module can include non-FIPS-validated algorithms for other purposes"* - I'm probably splitting hairs again... "The module" is what's in-scope, and its the cryptographic or security boundary. Everything in "the module" must be FIPS Validated (some hand waiving). So do you mean "library" instead? –  Apr 17 '15 at 18:36
  • I'm using the language from the NIST list of "Validated Modules" of which BSAFE is one. BSAFE is a FIPS-Validated module with a non-FIPS algorithm. – schroeder Apr 17 '15 at 18:38
  • *"Everything in "the module" must be FIPS Validated (some hand waiving)"* - I should clear up the hand waiving. Some non-approved algorithms can be included, like MD5 and SHA-1. But they have explicit exceptions stated somewhere. In the case of MD5 and SHA-1, the exception is for use in TLS 1.0/1.1 *and* only as a PRF (other uses are prohibited). The exception is called out in SP800-135. –  Apr 17 '15 at 18:42