Oracle is an
active participant in the FIPS 140 validations. The current
version of FIPS 140 is FIPS 140-2. FIPS 140-2 is in the final
stages of becoming an ISO Standard, number 19790. The ISO 19790 is
a modification of FIPS 140-2, being less US specific in order to
be internationally recognised. FIPS 140-3 is currently being
developed .
The following
FIPS 140-2 Implementation Guidance, G.5 applies to validated
Oracle cryptographic modules:
A vendor may
perform post-validation recompilations of a software or firmware
module and affirm the modules continued
validation compliance provided the following is maintained:
For Level 2
Operational Environment, a software cryptographic module will
remain compliant with the FIPS 140-2 validation when operating on
any General Purpose Computer(GPC) provided that the GPC
incorporates the specified CC evaluated EAL2 (or equivalent)
operating system/mode/operational settings or another compatible
CC evaluated EAL2 (or equivalent) operating system with like mode
and operational settings.
The CMVP allows
vendor porting and re-compilation of a validated software and
firmware cryptographic module from the OS(s) and/or GPC(s)
specified on the validation certificate to an OS(s) and/or GPC(s)
which were not included as part of the validation testing. The
validation status is maintained on the new OS(s) and/or GPC
without re-testing the cryptographic module on the new OS(s)
and/or GPC(s). However, the CMVP makes no statement as to the
correct operation of the module when ported to an OS(s) and/or
GPC(s) not listed on the validation certificate.
For
a matrix of Oracle security evaluations currently in progress as
well as those completed please go to Oracle
Security Evaluations Status.
Overview
of FIPS 140-1
FIPS 140-2
Security Requirements for Cryptographic Modules is a U.S.
government standard for implementation of cryptographic modules
that encrypt and decrypt data or perform other cryptographic
operations (such as creating or verifying digital signatures).
The Cryptographic Module
Validation Program (CMVP) validates cryptographic modules to
Federal Information Processing Standards (FIPS) 140-2 Security
Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP was
established by NIST and the Communications
Security Establishment (CSE) of the Government of Canada in July
1995. The FIPS 140-2 standard is jointly maintained by both of
these organizations.
Encryption
products purchased by US and Canadian government agencies may be
required to undergo the FIPS 140-2 validation. These products are
validated against FIPS 140-2 at security levels ranging from level
1 (lowest) to level 4 (highest). The testing and validation of
products against the FIPS 140-2 criteria is performed by NIST and
CSE-approved and accredited certification laboratories.
Level
2 is the highest level of validation pursued by software vendors.
Level 4 is generally only attempted by hardware vendors who
produce hardware such as hardware encryption devices.
The Validation
Authorities also validate the test results for the FIPS-approved
or NIST recommended cryptographic algorithms. An algorithm
validation certificate is issued for each validated cryptographic
algorithm.
Oracle Advanced
Security is also validated against additional FIPS criteria such
as FIPS 180-1 Secure Hash Standard, FIPS 46-2 Data Encryption
Standard (DES) and FIPS 81 DES Mode of Encryption.
|
Bookmark
