Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Business Law

Application for Cryptographic Module Validation

advertisement 
Forms for Rules for the Application
Procedures for Cryptographic Module
Validation
Form 1
Application for Cryptographic Module Validation
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
The applicant hereby applies for the validation of the following cryptographic module in accordance with
the “Rules for the Application Procedures for Cryptographic Module Validation” (CBM-02), and I, as the
person in charge of this application, hereby agree to the contents of the Letter of Consent (Form 2) attached
hereto.
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
<Type of application>
Validation (new) of a cryptographic module/Revalidation of the cryptographic module with the validation
number of (
)
<Identity of the cryptographic module to be shown in the “Validated Cryptographic Module Products
List”>
Name of the cryptographic module:
Hardware version:
Firmware version:
Software version:
Outline:
<Person in charge of this application>
Name (department/division):
E-mail:
Telephone number:
The section below is to be filled out by the IPA.
Reception number
<Desired scope of validation>
Security Level: 1 / 2 / 3 / 4
Physical state: Single-chip/Multi-chip embedded/Multi-chip standalone
Note: Only “multi-chip standalone” is applicable to software.
<Security/Testing Requirements that constitute standards for this cryptographic module validation>
Name of the standard:
<Information on the applicant to be shown in the “Validated Cryptographic Module Products List”>
Name of the applicant:
URL:
Address:
Contact person (department/division):
E-mail of the contact person:
Telephone number:
Facsimile number:
<Payer of application fee whom the bill is to be sent to>
Name:
Address:
Attention (care of):
E-mail:
Telephone number:
Facsimile number:
<Information on the Cryptographic Module Testing Laboratory >
Name of the Testing Laboratory:
Person in charge:
E-mail:
Telephone number:
Facsimile number:
<Publicity of the status of “validation pending”>
Does the applicant wish for the IPA to publicize the status of “validation pending” for its
cryptographic module?
Yes/No
Form 2
Letter of Consent
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
I, as the person in charge of application, hereby consent to the following pledges that the applicant
takes.
1.
The applicant will observe at all times the “Basic Rules for the Japan Cryptographic Module
Validation Program” (hereinafter referred to as the “JCM-01”) and the “Rules for the
Application Procedures for Cryptographic Module Validation” (hereinafter referred to as the
“CBM-02”) established by the Information-technology Promotion Agency, Japan (IPA).
2.
The applicant will make all preparations necessary for the fulfillment of the validation services
by the IPA as the cryptographic module certification body (hereinafter referred to as the
“Certification Body”), where such preparations include the arrangement of the cryptographic
module needed for surveillance or retesting and access to the applicant’s documents, facilities,
records or persons for inspection or interview.
3.
The applicant will not use the cryptographic module validation for any other purposes than to
show evidence of the certified conformity of the cryptographic module concerned to the
Cryptographic Module Security Requirements mentioned in the Annex A of the JCM-01.
4.
The applicant will explicitly indicate that the validation covers the designated scope only.
5.
The applicant will not abuse the “Cryptographic Algorithm Verification Certificate,”
“Cryptographic Module Validation Certificate,” “Cryptographic Module Validation Report” or
“Validated Cryptographic Module Label” in a way that harms the reliability of the validation.
6.
The applicant will not abuse, entirely or partially, the “Cryptographic Algorithm Verification
Certificate,” “Cryptographic Module Validation Certificate” or “Cryptographic Module
Validation Report” in a way that could induce any misunderstanding of facts.
7.
When the applicant uses the “Validated Cryptographic Module Label” in a document, brochure,
advertisement/publicity material, product package, etc., following the issue of the
“Cryptographic Module Validation Certificate,” the applicant will have the Label accompanied
with the below-mentioned explanation together with the cryptographic module validation
number and the description of the attained security level, closely to each other or in a way that
allows readers to identify them easily, and the applicant will not use the Label in a way that
could induce any misunderstanding of facts.
(In the case that the cryptographic module constitutes the entire portion of a product)
“The validation granted for this cryptographic module is evidence of its conformity to the
designated requirements under the Japan Cryptographic Module Validation Program (JCMVP)
as proven by a test duly conducted on a sample of the module.”
(In the case that the cryptographic module partially constitutes a product)
“A validated cryptographic module is embedded in this product. The validation granted for this
cryptographic module is evidence of its conformity to the designated requirements under the
Japan Cryptographic Module Validation Program (JCMVP) as proven by a test duly conducted
on a sample of the module.”
8.
In the event that the validation is suspended or withdrawn, the applicant will immediately
discontinue all advertisement and publicity activities that refer to the validation, and will return
the “Cryptographic Module Validation Certificate” and any other documents granted upon the
validation by following the instruction of the Certification Body.
9.
Following the issue of the “Cryptographic Module Validation Certificate” for the applicant, the
applicant will fulfill all of the below-mentioned obligations and requirements imposed on
Applicants with Validation.
a)
When the applicant desires to supply or market the cryptographic module concerned in a
way that explicitly shows their status of validated cryptographic module, the module must
be supplied or marketed under the exact condition defined in the “Cryptographic Module
Validation Report” and the “Cryptographic Module Validation Certificate” granted for the
module. In the event that any modification has been made to the module, such modified
cryptographic module may not be marketed unless revalidation or newly-applied
validation is granted for the modified one.
b)
When any description in the “Cryptographic Module Validation Certificate” or “Validated
Cryptographic Module Products List” has to be changed, the applicant must promptly
notify the Certification Body of the change.
c)
The applicant must make records of all complaints given about the security of its validated
cryptographic module. The applicant must deal with all such complaints in an appropriate
manner and make records of all measures taken for addressing the complaints. The
applicant is to submit to the Certification Body, when requested, a record of such
complaint or any measure taken to address the complaint. In the case that the applicant is
unable to submit such record for some reason, the applicant must allow the Certification
Body’s personnel access to the record.
d)
When the applicant obtains any information that shows possible nonconformity of the
validated cryptographic module to the JCMVP, the applicant must notify the Certification
Body of such information without delay. If the applicant desires to maintain the validity
of the cryptographic module, the applicant must obey any instruction given by the
Certification Body in response to said notification. Such instruction might demand, for
instance, the arrangement of retesting to be conducted by the Testing Laboratory or the
payment of all retesting expenses in the case that there is a fault of the applicant.
10. The applicant will not claim any liability of the IPA for any damage, loss, etc. unless such
damage, loss, etc. is attributable to any intentional grant of wrong validation by the IPA or any
material fault of the IPA in its validation services.
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:

Form 3
Cryptographic Module Test Plan
Issued on:
date
Reference number:
To: <Applicant>
From: < Testing Laboratory>
Person in charge: <
This is to inform that our test plan for your cryptographic module is as follows:
<Information on the cryptographic module to be tested>
Name of the cryptographic module:
Hardware version:
Firmware version:
Software version:
<Information on the Testing Laboratory who will conduct the test>
Name of the Testing Laboratory:
Person in charge:
E-mail:
Telephone number:
Facsimile number:
<Information on the team who will carry out the test>
Quality Manager:
Technical Manager:
Team members:
<Testing methods, techniques, tools and standards used for the test>
>
<Test schedule>
Scheduled first day: Month/Day/Year
The first week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
The ○th week ~ ○th week:
<Note>
Form 4
Notice of Change of Descriptions in Application for Cryptographic Module Validation, etc.
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
This is to notify that the change mentioned below in 2. needs to be made to the descriptions on the
application form categorized as below in 1.
1. Type of application

Application for Cryptographic Module Validation

Application for the Issue of English Version of Cryptographic Module Validation Certificate, etc.
2. Identity of the cryptographic module concerned
Name of the module:
Version:
Date of application:
Person in charge of the application:
Content of the change:
[Notes]
- For section 1. above, the circled one applies.
- The Person in Charge of Application shown herein is supposed to be the same person shown on the
application form for cryptographic module validation.
- Submission of this form is not necessary when the change is made to the description of the version
only.
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
Form 5
Notice of Withdrawal of the Application for Cryptographic Module Validation, etc.
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
This is to notify that the applicant mentioned herein desires to withdraw the application categorized
as below in 1. on the module and for the reason stated below in 2.
1. Type of application
・ Application for Cryptographic Module Validation
・ Application for the Issue of English Version of Cryptographic Module Validation Certificate,
etc.
2. Identity of the cryptographic module concerned
Name of the module:
Version:
Date of application:
Reason of withdrawal:
[Note]
- For section 1. above, the circled one applies.
- The Person in Charge of Application shown herein is supposed to be the same person shown on the
application form for cryptographic module validation.
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
Form 6
Notice of Change of Descriptions in Validated Cryptographic Module Products List, etc.
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
This is to notify that the change mentioned below in 2. needs to be made to the descriptions on the
document identified below in 1.
1. Category of the document
・ Validated Cryptographic Module Products List
・ Other (
)
2. Identity of the cryptographic module concerned
Name of the module:
Cryptographic Module Validation number:
Change to be made:
Reason for making the change:
[Notes]
- For section 1. above, the circled one applies.
- The Person in Charge of Application shown herein is supposed to be the same person shown on the
application form for cryptographic module validation
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
Form 7
Application for Reissue of Cryptographic Module Validation Certificate, etc.”
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
The applicant hereby applies for the reissue of the document categorized as below in 1. for the
reason mentioned below in 2.
1. Type of document
・ Cryptographic Algorithm Verification Certificate
・ Cryptographic Module Validation Certificate/Cryptographic Module Validation Report
・ English Version of Cryptographic Algorithm Verification Certificate
・ English Version of Cryptographic Module Validation Certificate/English Version of
Cryptographic Module Validation Report
Name of the module concerned:
Version:
Cryptographic Module Validation number or Cryptographic Algorithm Verification number:
2. Reason for the request for reissue
[Notes]
- For section 1. above, the circled one applies.
- The Person in Charge of Application shown herein is supposed to be the same person shown on the
application form for cryptographic module validation
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
Form 8
Application for the Issue of English Version of Cryptographic Module Validation Certificate, etc.
To Chairman of the Information-technology Promotion Agency, Japan (IPA)
The applicant hereby applies for the issue of the “English Version of Cryptographic Algorithm
Verification Certificate,” the “English Version of Cryptographic Module Validation Certificate” and
the “English Version of Validation Report” that correspond to the following validation granted and
issued in accordance with “Rules for the Application Procedures for Cryptographic Module
Validation.”
1. Name of the cryptographic module concerned:
2. Date of the cryptographic module validation:
3. Cryptographic Module Validation number:
Name of the Applicant:
Address:
Signature:
Person in Charge of Application:
Title:
Date:
Form 9
Nondisclosure Agreement
This Nondisclosure Agreement (hereinafter referred to as the “Agreement”) is entered into by and
between
Name of the applicant
(hereinafter referred to as the “Disclosing Party”) and
the Information-technology Promotion Agency, Japan (hereinafter referred to as the “Receiving
Party”) on the treatment of confidential information to be disclosed by the Disclosing Party to the
Receiving Party as a consequence of the application made by the Disclosing Party for cryptographic
module validation [Reception number of the application:
] and for the purpose of assisting the
Receiving Party’s fulfillment of the cryptographic module validation services under the Japan
Cryptographic Module Validation Program (hereinafter referred to as the “JCMVP”) and other
works incidental to said services (hereinafter collectively referred to as the “Validation Services”) .
The Parties agree as follows: on the following:
(Aim of the Agreement)
Article 1: This Agreement provides for the treatment of confidential information to be disclosed
directly or via a testing laboratory by the Disclosing Party to the Receiving Party or to be
obtained by the Receiving Party in the course of the Receiving Party’s fulfillment of the
Validation Services.
(Obligations of confidentiality)
Article 2: The Receiving Party shall respect and preserve the confidentiality of the confidential
information defined below (hereinafter referred to as the “Confidential Information”) with
due care and in good faith, and shall not, without the prior written consent of the
Disclosing Party, copy or disclose the Confidential Information to any third party.
2. The Confidential Information under this Agreement is defined as the technical or
commercial information that is disclosed directly or via a testing laboratory by the
Disclosing Party to the Receiving Party or the Receiving Party comes to know in the course
of the fulfillment of the Validation Services, and shall include the following.
(1) All tangible materials containing technical data or information, drawings and other
relevant materials explicitly identified as confidential that have been delivered by the
Disclosing Party to the Receiving Party or disclosed by the Disclosing Party to the
Receiving Party by electromagnetic means as designated by the Receiving Party.
(2) Information that is disclosed by the Disclosing Party to the Receiving Party orally or
in a manner other than mentioned above along with the instruction to keep it
confidential and is then explicitly designated as confidential by the Disclosing Party
in writing within thirty days after the disclosure.
3. Without prejudice to the above provisions in 1 and 2 of this Article, any of the following
information shall not be construed as the Confidential Information and therefore shall not
bind the Receiving Party to the obligations of confidentiality.
(1) Information that is publicly known at the time of disclosure from the Disclosing Party
(2) Information that becomes publicly known after the disclosure from the Disclosing
Party for any reason not attributable to the Receiving Party
(3) Information that the Receiving Party already had in its possession or has received
without restriction from an independent third party that is lawfully entitled to disclose
the information to the Receiving Party prior to the disclosure by the Disclosing Party.
(4) Information that the Receiving Party is authorized to disclose with the written consent
of the Disclosing Party.
4. Paragraph 1 of this Article shall not apply to the cases mentioned below, provided however
that the Receiving Party notifies the Disclosing Party of the disclosure to be made as
mentioned below.
(1) Where the Receiving Party is required by law to disclose any Confidential Information
to such party as legally designated within such scope as legally specified
(2) Where the Receiving Party sees any good reason to disclose any Confidential
Information, with such reason including the government’s order, and obtains prior
consent of the Disclosing Party to such disclosure of Confidential Information.
5. Even when the Confidential Information is copied, modified or compiled, the Receiving
Party shall treat such copied, modified or compiled information as the Confidential
Information under this Agreement.
(Restricted use of the Confidential Information)
Article 3: The Receiving Party shall not, without the prior written consent of the Disclosing Party
use the Confidential Information for any other purpose than the fulfillment of the
Validation Services.
(Indemnification)
Article 4: Receiving Party shall indemnify the Disclosing Party against any loss or damage incurred
as a result of the Receiving Party’s breach of any provision of this Agreement as the
Receiving Party should have foreseen such outcome in general, except that the Receiving
Party shall not be responsible for compensating for any extraordinary loss or lost earnings.
(Expenses of the preparation of this Agreement)
Article 5: Costs generated as a result of preparing this Agreement shall be shared by both Parties in a
way that respective Parties bear their own expenses.
(Modification of this Agreement)
Article 6: Any modification of this Agreement shall not be valid unless explicitly documented and
signed by duly authorized representatives or legal attorneys of the respective Parties.
(Entire agreement)
Article 7: This Agreement sets forth the entire agreement between the Parties hereto as of the date of
agreement specified herein and merges and supersedes all prior agreements, presentations,
proposals, correspondences and understandings, oral or written, of any nature between
them on the subject matter of this Agreement. In the event that any inconsistency is
found between this Agreement and any of the said prior agreements, etc., this Agreement
shall precede the latter.
(Prohibited transfer of the rights, obligations, etc. under this Agreement)
Article 8: Either Party may not transfer to any third party or allow any third party to succeed any
rights, obligations and granted status under this Agreement, without the prior written
consent of the other Party.
(Term)
Article 9: This Article shall become effective on the date of signature specified herein and shall
expire after five years from the completion, suspension or termination of the Validation
Service or after five years since the last day of the Receiving Party’s reception of the
Confidential Information from the Disclosing Party, whichever comes first, unless
otherwise agreed by both Parties separately from this Agreement.
(Applicable law)
Article 10: This Agreement and all rights and obligations of the Parties under this Agreement shall
be construed and governed in accordance with the laws of Japan.
(Jurisdiction)
Article 11: Any dispute arising from this Agreement shall be brought in the Tokyo District Court as
the court of first instance agreed upon between both Parties.
IN WITNESS WHEREOF, the Parties hereto have executed this Agreement in two signed copies,
with each to be kept by the Disclosing Party and the Receiving Party respectively.
Disclosing Party
Address
Information-technology Promotion
Agency, Japan
16F, Bunkyo Green Court Center
Office
2-28-8 Honkomagome Bunkyo-ku,
Tokyo, Japan 113-6591
By:
By:
-------------------------------------------------
-------------------------------------------------
Name:
Name:
-------------------------------------------------
-------------------------------------------------
Title:
Title: Chairman
-------------------------------------------------
-------------------------------------------------
Date:
Date:
-------------------------------------------------
-------------------------------------------------
Signature
Signature
-------------------------------------------------
-------------------------------------------------
Form 10
Cryptographic Module Observation Report
Reference number
Name
of
the
XX cryptographic module
cryptographic module
Version
Hardware version XXX
Software version XXX
Subject in question
“Source code XX”
Finding
The function XX is not able to XXXXX.
AS concerned
TE concerned
Report issued by:
XX Testing Laboratory
Writer of this
Report
Person in charge of
the issue of this
Report
Date of issue
Month/Day/Year
Comments:
The function XX described in the Xth line of the source code is not able to XXXXX, thus is
found to fail to conform to the TE Requirement XXXX that demands “the source code is able to
XXXX.”
Your correction of this failure (nonconformity) is needed.
This report goes to:
(Name of the corporation who receives this Report.)
The recipient of this
(Month/Day/Year)
Report is asked to
respond by:
Responded by:
(Name of the corporation who responded to the Report)
Writer of the
response
Person in charge of
the response
Date of response
Month/Day/Year
Comments:
We’ve revised the function XX described in the Xth line of the Source Code XX to attain
conformity with the TE Requirement XXX that demands that “the source code is able to XXXX,” by
introducing the software version ○.○.○+1.
Please review and confirm the conformity.
Response goes to:
(Name of the Testing Laboratory)
Testing Laboratory
Month/Day/Year
is asked to review
the response by:
Reviewed by:
(Name of the Testing Laboratory)
Writer of this
review report:
Person in charge of
the review
Date of review
Month/Day/Year
Comments:
As a result of reviewing the source code XX of the software version ○.○.○+1, we have confirmed
a successful revision and conformity to the designated requirements.
To be further
NA
reviewed by:
Further review
Not necessary
Related documents
the new formal method calculus for cryptographic protocols
the new formal method calculus for cryptographic protocols
Center for Network Centric Technologies (CENTech)
Center for Network Centric Technologies (CENTech)
Document Security System
Document Security System
Reksoft at a glance
Reksoft at a glance
Format of Pre-Proposals for Capstone Design Projects
Format of Pre-Proposals for Capstone Design Projects
Making of a Multiprecision Cryptographic Software Library
Making of a Multiprecision Cryptographic Software Library
Instytut Matematyki i Kryptologii
Instytut Matematyki i Kryptologii
Download
advertisement