FIPS-140
FIPS-140, formally known as the Federal Information Processing Standards (FIPS) Publication 140, outlines the security requirements for cryptographic modules that are used in computer and telecommunication systems by federal agencies to protect sensitive but unclassified information. Here are some key points:
History and Development
- FIPS-140 was initially published in 1982 by the National Institute of Standards and Technology (NIST) as a way to standardize security for cryptographic modules.
- It has undergone several revisions to keep up with evolving security needs:
- FIPS 140-1 (1994) - This was the first revision that included detailed security requirements.
- FIPS 140-2 (2001) - Added more stringent requirements, including the use of Cryptographic Module Validation Program (CMVP) for validation.
- FIPS 140-3 (Draft, 2007) - Focused on improving clarity and addressing new security concerns.
- FIPS 140-4 (Draft, 2019) - Current draft with updates to address modern cryptographic needs and threats.
Key Components
- Security Levels: FIPS-140 defines four levels of security, from Level 1 (lowest) to Level 4 (highest), each specifying different levels of security assurance:
- Level 1 - Basic security requirements for a cryptographic module.
- Level 2 - Adds requirements for tamper evidence, role-based authentication, and path for entry/exit of data.
- Level 3 - Provides protection against unauthorized attempts to access sensitive security parameters, and physical security mechanisms.
- Level 4 - Provides the highest level of security, including protection against environmental attacks like temperature and voltage.
- Validation: Cryptographic modules must undergo testing by independent, accredited laboratories as part of the Cryptographic Module Validation Program (CMVP), managed by NIST and the Canadian Centre for Cyber Security (CCCS).
- Requirements: The standard specifies requirements in areas like cryptographic algorithm requirements, key management, self-tests, and physical security.
Impact and Application
- Compliance with FIPS-140 is mandatory for all cryptographic modules used in systems that process sensitive government information.
- It is also often required for systems involved in commercial sectors like finance, healthcare, and defense due to the security it provides.
- The standard influences the design and implementation of cryptographic products worldwide.
External Links
Related Topics