Understanding ECIES Availability in FIPS Validated Libraries

It is possible for a module to be FIPS 140 Validated and include non-validated features like ECIES. You can see multiple instances of this in various validation documents:

The trick is that to use those modules in a FIPS-compliant way, you need to only use the validated algorithms. For instance, in the BlackBerry document:

… ECIES … encryption algorithm are supported as non FIPS Approved
algorithms. In order to operate the module in compliance with FIPS,
these algorithms should not be used.

This is backed up by the NIST Guidance :

NOTE2: The operator of a cryptographic module is responsible for
ensuring that the algorithms and key lengths are in compliance with
the requirements of NIST SP 800-131A.

So, although a module can be FIPS 140-2 validated, the onus is on the operator to ensure that how it is used is in compliance with the current standard. With that understanding, the maker of a module can include non-FIPS-validated algorithms for other purposes.

Leave a Reply

Your email address will not be published. Required fields are marked *