Exceed FIPS 140 Level 1 Information Security

with Intel® Integrated Performance Primitives Cryptography

Get the Latest on All Things CODE

Sign Up
author-image

By

Ruqiu Cao

Software Technical Consulting Engineer

Alina Elizarova

Math Algorithm Engineer

Elena Tyuleneva

Math Algorithm Engineer

Robert Mueller-Albrecht 

Product Marketing Engineer

 

Intel Corporation

August 1, 2024

 

In today’s digital environment, ensuring the security of cryptographic modules is critical, especially for organizations that handle sensitive information. Intel® Integrated Performance Primitives Cryptography (Intel® IPP Cryptography) provides high-performance functions designed to enhance your security infrastructure while ensuring compliance with the Federal Information Processing Standard (FIPS) 140 series, a requirement for cryptography used by U.S. and Canadian government entities(FIPS General Information).

FIPS-Certified vs FIPS-Compliant

FIPS 140-3 defines 4 security levels (from level 1, the easiest, to level 4, the most stringent). In general, software may be certified at up to level 2.

Intel® Integrated Performance Primitives Cryptography (Intel® IPP Cryptography) provides the building blocks of FIPS-mode API (such as self-tests and FIPS-approved functionality status query) that can help end users fulfill FIPS level 1 requirements. Please refer to the Covered Algorithms section for the full list of FIPS-Approved API covered by self-tests.

Note: Intel® IPP Cryptography is not FIPS-Certified on its own but FIPS-Compliant. That means Intel® IPP Cryptography releases will have Cryptographic Algorithm Validation Program (CAVP) testing and certification done, but not a full Cryptographic Module Validation Program certificate, as the context of the usage of Intel® IPP Cryptography's high-performant primitives depends on a more high-level application.

For the results of CAVP testing, please visit these links:

or contact us via Intel® IPP Community

Intel® IPP Cryptography may be built in FIPS-mode with IPPCP_FIPS_MODE=on configuration for crypto single buffer and MBX_FIPS_MODE=on for crypto multi buffer (see details in the library GitHub readme build section).

An application that uses Intel® IPP Cryptography may be FIPS-Certified by matching FIPS 140 requirements and obtaining a NIST certificate or also be FIPS-Compliant for their customers.

Intel® IPP Cryptography: Meeting FIPS 140 Level 1 Requirements

Intel® IPP Cryptography provides essential building blocks to help applications achieve FIPS Level 1 compliance. Key features include:

  1. Module Identification: Intel® IPP Cryptography can output the module's name, identifier, and version through APIs like ippcpGetLibVersion() API for IPPCP and mbx_getversion() API for crypto_MB.
  2. FIPS-Approved Service Query: Functions like ippcp_is_fips_approved_func and mbx_is_fips_approved_func indicate whether a service is FIPS-approved.
  3. Self-Tests: Intel® IPP Cryptography provides APIs such as fips_selftest_ippcp for self-tests, ensuring the integrity and proper function of cryptographic algorithms.

Please refer to Level 1 Specific Requirements for a detailed description of what Intel® IPP Cryptography provides and what should be implemented at a higher level in an application.

Building in FIPS Mode

To build Intel® IPP Cryptography in FIPS mode, specific CMake flags are required:

  • For ippcp: -DIPPCP_FIPS_MODE=on
  • For Crypto Multi-Buffer: -DMBX_FIPS_MODE=on

These configurations enable additional APIs for self-tests and FIPS-support queries, allowing users to validate their cryptographic implementations.

Example Configuration for ippcp with Intel® C++ Compiler:

CC=icx

CXX=icpx

cmake CMakeLists.txt -B_build -DARCH=intel64 -DIPPCP_FIPS_MODE=on[-DIPPCP_SELFTEST_USE_MALLOC=on]

Example Configuration for Crypto Multi-Buffer with GCC:

CC=gcc

CXX=g++

cmake CMakeLists.txt -B_build -DARCH=intel64 -DMBX_FIPS_MODE=on

Examples of API Usage

Intel® IPP Cryptography Example Crypto Multi-buffer Library Example 
//------ FIPS-required part

// 1. check that the function is FIPS-approved:
if(!ippcp_is_fips_approved_func(AESEncryptCBC)) {
    return -1; // cannot use this function in FIPS mode.
}

// 2. Run the Selftest
fips_test_status selftest_status = IPPCP_ALGO_SELFTEST_OK;

// Query buffer size for the test and allocate it 
//(using Intel(R) IPP Cryptography with IPPCP_SELFTEST_USE_MALLOC=on)
int BuffSize = 0;
selftest_status += fips_selftest_ippsAESEncryptDecrypt_get_size(&BuffSize);
std::vector<Ipp8u> pBuff(BuffSize);

// Run the test
selftest_status += fips_selftest_ippsAESEncryptCBC(pBuff.data());

// Check selftest status
if (IPPCP_ALGO_SELFTEST_OK != selftest_status) {
    return -1; // selftest is not successful -> cannot use this function in FIPS mode.
}

//------ FIPS-required part ends (only needed before the first use of algorithm)

//------ Common Intel(R) IPP Cryptography usage
// ...
IppStatus status = ippsAESEncryptCBC(plain, cipher, block_size, pAES, cipherV);
// ...
 

//------ FIPS-required part

// 1. check that the function is FIPS-approved:
if(!mbx_is_fips_approved_func(nistp256_ecdh_mb8)) {
    return -1; // cannot use this function in FIPS mode.
}

// 2. Run the Selftest
if (fips_selftest_mbx_nistp256_ecdh_mb8() != MBX_ALGO_SELFTEST_OK) {
    return -1; // selftest is not successful -> cannot use this function in FIPS mode.
}

//------ FIPS-required part ends (only needed before the first use of algorithm)

//------ Common Crypto Multi-buffer Library usage
// ...
mbx_nistp256_ecdh_mb8(sharedAB, prvA, pubBx, pubBy, pubBz_curr, 0);
mbx_nistp256_ecdh_mb8(sharedBA, prvB, pubAx, pubAy, pubAz_curr, 0);

// ...

 

Covered Algorithms in Intel® IPP Cryptography

Intel® IPP Cryptography supports a range of algorithms, including AES, RSA Encrypt/Decrypt, RSA Sign/Verify, Hash, HMAC, Sign/Verify, and Elliptic Curves, RSA for Crypto Multi-buffer. These algorithms are all covered by self-tests to ensure compliance with FIPS requirements. Each algorithm's specific self-test API can be called to verify its proper operation before use in FIPS mode.

For the exact list of the supported symbols, please refer to FIPS_IPPCP_FUNC enumerator in include/ippcp/fips_cert.h, and  FIPS_CRYPTO_MB_FUNC enumerator in include/crypto_mb/fips_cert.h.

Add Data Security to Your Application

Intel® IPP Cryptography provides a performance-optimized set of cryptographic primitives that support FIPS 140 Level 1 compliance. By leveraging Intel® IPP Cryptography in FIPS mode, developers can build secure applications that meet government and industry standards, ensuring robust protection for sensitive data.

For more detailed information on implementing FIPS 140 requirements with Intel® IPP Cryptography, please refer to the Intel® IPP Cryptography documentation.

If you have any questions or requests to extend the list of FIPS-compliant algorithms, please submit the issue on Github or in the online service center.

We are looking forward to your feedback and suggestions.

Additional Resources

 

 

Product and Performance Information

1

Performance varies by use, configuration and other factors. Learn more at www.Intel.com/PerformanceIndex.