Operating the SCVP Service in FIPS 201 Compliant Mode
FIPS 201 (Federal Information Processing Standards Publication 201) is a United States federal government standard that specifies Path Discovery and Validation (PD-VAL) requirements for Federal employees and contractors.
FIPS 201 places specific requirements on PD-VAL using SCVP (RFC 5055) protocol as specified below:
- The ADSS Server complies with RFC 5055 (SCVP) – Server-based Certificate Validation Protocol.
- The Product has demonstrated Path Discovery and Validation capability using the PKITS and the Path Discovery Test Suite.
- The {SCVP Response} must be signed with a public key or hash algorithm that satisfies the requirements for signing new PIV information, as specified in Table 3-3 of NIST SP 800-78-1:
- Note: It is the role of the ADSS Server operator to ensure that they configure SCVP response signing key and hash algorithm that is at least as large as, or larger than, the key and hash algorithm size used by the CA which issued the target certificate (i.e. certificate being validated). For further details on how to configure this within the SCVP Service see the page: SCVP Service Manager Settings
Signature Generation Date |
Public Key Algorithms and Key Sizes |
Hash Alogorithms |
Padding Scheme |
After 12/31/2010 |
RSA (2048, 3072, or 4096 bits) |
SHA-256 |
PKCS #1 v1.5, PSS |
ECDSA (Curve P-256) |
SHA-256 |
N/A |
|
ECDSA (Curve P-384) |
SHA-384 |
N/A |
- The object identifiers specified in Table 3-4 of NIST SP 800-78-1 must be used in CRLs and {SCVP} messages to identify the signature algorithm.
Signature Algorithm |
Object Identifier |
RSA with SHA-1 and PKCS v1.5 padding |
sha1WithRSAEncryption ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 5} |
RSA with SHA-256 and PKCS v1.5 padding |
sha256WithRSAEncryption ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 11} |
RSA with SHA-256 and PSS padding |
id-RSASSA-PSS ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) 10} |
ECDSA with SHA-256 |
ecdsa-with-SHA256 ::= {iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2 (3) 2} |
ECDSA with SHA-384 |
ecdsa-with-SHA384 ::= {iso(1) member-body(2) us(840) ansi-X9-62(10045) signatures(4) ecdsa-with-SHA2 (3) 3} |
- The cryptographic module used for signing {SCVP responses} shall be validated to FIPS 140-2 with an overall Security Level 2 (or higher).
- The Product has demonstrated Secure Hash Standard (SHS) capability to generate a SHA-256 digest.
The ADSS Server administrator can configure the SCVP Service to meet all of the above requirements. ADSS Server has been interoperability tested with a range of FIPS 140-2 Level 2+ hardware cryptographic modules from various suppliers. Any FIPS 140-2 Level 2+ hardware security module that implements the PKCS#11 interface should work with ADSS Server. For further details on how to configure the FIPS 140-2 cryptographic module see this section of the manual: Creating a New Hardware Crypto Profile.
See also
Access Control
Transactions Log Viewer
Logs Archiving
Alerts
Management Reporting
Operating the SCVP Service in FIPS 201 Compliant Mode
SCVP Service Interface URLs