I am going for a FIPS 140-2 validation process of my software module. I have studied the relevant material but I am still not clear of one thing that can I use third party FIPS validated approved algorithms in my to be fips validated module? or Do i need to write my own implementation of approved algorithms and get them approved from NIST first?
I am confused because; in Fips validation module list, most of the companies have their own validated algorithms in their fips validated module which gives me impression that one has to get the validation of his own algorithm implementation first and then use it in to be validated crypto module. Is this right?
Any help would be appreciated.
The FIPS certification lab doesn’t care where the algorithm came from, only that your implementation conforms to the FIPS 140-2 standard. If your implementation conforms, then you get a certificate for it.
For example, if you look at the AES certification list, you’ll see that many people use OpenSSL’s AES implementation. Hardware implementations likely use an encryption core from a vendor rather than each organization re-implementing AES in hardware.
What you do have to do though is make the third-party implementation conform to the FIPS 140-2 standard. So you may have to write power-on self tests and continuous self tests and so on. You may even have to fix bugs in the implementation to make it pass the certification tests. For example, OpenSSL’s RSA implementation up to 0.9.7j/0.9.8b (from 2006) is vulnerable to the Bleichenbacher RSA forgery attack, so if you were using that old RSA implementation, you’d have to fix it.
To be clear, your third-party implementation does not have to have been previously FIPS certified. Your certification lab will test it as part of your implementation and certify it then.