By Mike Luken Today’s digital economy relies on secure communications in both our personal and business activities. We expect that when private data is transmitted over the internet, or other communications channels, it will be protected against tampering and prying eyes. The integrity and confidentiality of information is typically achieved using cryptography, mathematically based methods to encrypt and decrypt information.
We assume our communications are secure. But are they? Cryptography provides the foundation of secure communications, but how do we know that the cryptography we are using is correct and secure? When was the last time you verified that the algorithms used have been implemented correctly? Or that they have not been intentionally or unintentionally altered to make them less secure?
Fortunately for all of us, there are organizations that have active programs to do just this. As highlighted in Anthony Grieco’s blog on “Automating Explicit Trust,” Cisco and industry leaders are working to develop technologies that provide explicit trust (i.e. evidence of trustworthiness) and enhance communications security. A notable example is the Cryptographic Module Validation Program (CMVP) conducted by the National Institute of Standards and Technology (NIST) as a part of Federal Information Processing Standard (FIPS). Many organizations are required to only utilize products that contain NIST validated cryptographic modules. And this makes sense. Leaders want the communications used in their organizations to be based on a sound foundation to ensure the integrity and confidentiality of their information.
Historically, CMVP testing required significant manual effort which made the endeavor both costly to vendors and extremely time consuming. This resulted in vendors having to make hard decisions on which products and software versions to validate. The organizations requiring this validation, saw the following:
A smaller number of available validated products and software versions
Having to choose between using a non-validated version of software that contains vulnerability fixes vs. using existing validated products with known vulnerabilities while waiting for the new software to be validated.
Recognizing the impact of this dilemma, NIST and industry have been working together to create the Automated Cryptographic Validation Testing (ACVT) program. A bold and visionary move that should increase the number of validated products, reduce the lag between vulnerability fix and validation, and reduce risks inherent with manual operations. This is all made possible with the new Automated Cryptographic Validation Protocol (ACVP) which provides the communications between product under test and the NIST test server.
The ACVT program is live and the NIST ACVT server is online. Industry is actively incorporating ACVP into products. Recently, Cisco successfully passed ACVT algorithm testing for one of its core cryptographic modules (validation # A4); thereby, formally validating the cryptography used to secure customer communications.
Network and system attacks by bad actors are frequently in the news. It is encouraging to know there is now an industry defined, independent 3rd party capability available and in-use to validate that the cryptography used to secure communications. +1 for the good guys.
Visit the Trust Center to learn more about Cisco’s commitment to trustworthiness, transparency, and accountability.
Industry Working Group on Automated Cryptographic Algorithm Validation
NIST: Security Testing, Validation and Measurement
Source:: Cisco Security Notice