FIPS PUB 140-2 Validation
What is FIPS PUB 140-2?
“FIPS PUB” is an abbreviation for Federal Information Processing Standards Publication; “140-2” designates a standard entitled “Security Requirements for Cryptographic Modules.” FIPS 140-2 is a replacement for the earlier FIPS 140-1. It was produced by the U.S. National Institute of Standards and Technology (NIST) to outline general requirements for cryptographic modules within computer and telecommunication systems. A cryptographic module is defined as any combination of hardware, firmware or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques and random number generation. The FIPS PUB 140-2 security requirements cover 11 areas related to the design and implementation of a cryptomodule. Within most areas, a cryptomodule receives a security level rating (i.e., 1-4, from lowest to highest), depending on what requirements are met.
Why is it important?
Information technology security professionals in the U.S. and Canadian federal governments, as well as the industry, recognize that a cryptographic product can be securely used for protecting sensitive, unclassified information when the product is validated against the FIPS PUB 140-2 security requirements. Most organizations and agencies mandate that any new cryptographic product used to protect their information be validated to FIPS PUB 140-2. Both the U.S (NIST) and Canadian (CSE) federal governments have adopted FIPS PUB 140-2. The “Applicability” section of FIPS 140-2 states that:
“This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard. The adoption and use of this standard is available to private and commercial organizations …”
What does validation involve?
Validation testing for FIPS 140-2 falls under the Cryptographic Module Validation Program (CMVP), which wash established by the NIST and the Communications Security Establishment (CSE) of the Government of Canada. All tests under the CMVP are handled by third-party laboratories that are accredited under the National Voluntary Laboratory Accreditation Program (NVLAP) for test methods for FIPS 140-1 and FIPS 140-2.The vendor submits a sample of the product along with design documentation. The laboratory runs a series of tests on the product and examines the documentation to make sure it was designed according to the rules laid out in FIPS PUB 140-2.
This process involves looking at the following aspects of the product and documentation:
- Cryptographic Module Specification
- Cryptographic Module Ports and Interfaces
- Roles, Services and Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference/Electromagnetic Compatibility (EMC/EMI)
- Self Tests
- Design Assurance
- Mitigation of Other Attacks
Does validation apply to software?
Yes. Validation applies to the cryptographic module as a whole. In the case of a PC running the Entrust cryptographic module program, the PC itself, the operating system, and the cryptographic software are all considered part of the module and are tested together.
What value does validation offer?
Because of the complex nature of cryptographic products, a user traditionally has little choice but to trust that the product is working as advertised and is actually protecting his or her data in a secure manner. Validation offers the comfort that an independent third party has examined the product in detail and ensures it complies with strict security requirements.
Which versions have FIPS 140 validation?
Entrust is an early adopter of the standard. Entrust Cryptographic Kernel V. 1.9 was the first product ever validated; the official certificate was awarded on October 12, 1995, at the National Information Systems Security Conference in Baltimore, Md. At the time of writing, Entrust has 21 cryptographic modules listed on the validation list.
How long does the process take?
Typically, a validation can take between three months to a year or more. This depends greatly on the nature of the product being evaluated (e.g., hardware, firmware or software, how complex, how many algorithms, what programming language, etc.).