What is FIPS 140-2?
What is the Federal Information Processing Standard (FIPS)?
FIPS (Federal Information Processing Standard) 140-2 is the benchmark for validating the effectiveness of cryptographic hardware. If a product has a FIPS 140-2 certificate you know that it has been tested and formally validated by the U.S. and Canadian Governments. Although FIPS 140-2 is a U.S./Canadian Federal standard, FIPS 140-2 compliance has been widely adopted around the world in both governmental and non-governmental sectors as a practical security benchmark and realistic best practice.
FIPS 140-3 is the latest version of the U.S. government computer security standard used to validate cryptographic modules. As of April 1, 2022, FIPS PUB 140-3 Security Requirements for Cryptographic Modules supersedes FIPS 140-2 for new submissions.
Products certified to FIPS 140-2 can remain valid for 5 years after validation. See NIST transition page for more details.
FIPS 140-2 Levels
Organizations use the FIPS 140-2 standard to ensure that the hardware they select meets specific security requirements. The FIPS certification standard defines four increasing, qualitative levels of security:
- Level 1: Requires production-grade equipment and externally tested algorithms.
- Level 2: Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved to Common Criteria at EAL2.
- Level 3: Adds requirements for physical tamper-resistance and identity-based authentication. There must also be physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form.
- Level 4: This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack.
The FIPS 140-2 standard technically allows for software-only implementations at level 3 or 4, but applies such stringent requirements that very few have been validated.
For many organizations, requiring FIPS certification at FIPS 140-2 level 3 is a good compromise between effective security, operational convenience, and choice in the marketplace.
Why is FIPS 140-2 important?
Information technology security professionals in the U.S. and Canadian federal governments, as well as the industry, recognize that a cryptographic product can be securely used for protecting sensitive, unclassified information when the product is validated against the FIPS PUB 140-2 security requirements. Most organizations and agencies mandate that any new cryptographic product used to protect their information be validated to FIPS PUB 140-2. Both the U.S (NIST) and Canadian (CSE) federal governments have adopted FIPS PUB 140-2. The “Applicability” section of FIPS 140-2 states that:
“This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard. The adoption and use of this standard is available to private and commercial organizations …”
What does validation involve?
Validation testing for FIPS 140-2 falls under the Cryptographic Module Validation Program (CMVP), which wash established by the NIST and the Communications Security Establishment (CSE) of the Government of Canada. All tests under the CMVP are handled by third-party laboratories that are accredited under the National Voluntary Laboratory Accreditation Program (NVLAP) for test methods for FIPS 140-1 and FIPS 140-2. The vendor submits a sample of the product along with design documentation. The laboratory runs a series of tests on the product and examines the documentation to make sure it was designed according to the rules laid out in FIPS PUB 140-2.
This process involves looking at the following aspects of the product and documentation:
- Cryptographic Module Specification
- Cryptographic Module Ports and Interfaces
- Roles, Services and Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference/Electromagnetic Compatibility (EMC/EMI)
- Self Tests
- Design Assurance
- Mitigation of Other Attacks
Does validation apply to software?
Yes. Validation applies to the cryptographic module as a whole. In the case of a PC running the Entrust cryptographic module program, the PC itself, the operating system, and the cryptographic software are all considered part of the module and are tested together.
What value does validation offer?
Because of the complex nature of cryptographic products, a user traditionally has little choice but to trust that the product is working as advertised and is actually protecting his or her data in a secure manner. Validation offers the comfort that an independent third party has examined the product in detail and ensures it complies with strict security requirements.
Which versions have FIPS 140 validation?
Entrust is an early adopter of the standard. Entrust Cryptographic Kernel V. 1.9 was the first product ever validated; the official certificate was awarded on October 12, 1995, at the National Information Systems Security Conference in Baltimore, Md. At the time of writing, Entrust has 21 cryptographic modules listed on the validation list.
How long does the process take?
Typically, a validation can take between three months to a year or more. This depends greatly on the nature of the product being evaluated (e.g., hardware, firmware or software, how complex, how many algorithms, what programming language, etc.).
Additional info on FIPS 140-2
The FIPS 140-2 standard, the Derived Test Requirements and validation process details can be found from the CygnaCom Solutions Web site.