I get asked a lot whether our product is FIPS 140-2 certified. FIPS 140-2 isn't magic. And typically, an entire product isn't FIPS 140-2 certified. A component within a product is FIPS 140-2 validated.
What Should I Be Asking About FIPS 140-2?
The better question: what within the product is FIPS 140-2
validated and what it is used for?
Make sure you’re not playing knifey spoony. Know what you’re getting.
Plenty of vendors support a FIPS 140-2 validated module for
SSL – but that only handles certain types in-flight encryption. What data is actually encrypted with that
FIPS module? What about any data-at-rest? Is that FIPS validated?
As part of FIPS 140-2, a vendor needs to define the security boundary - what's actually included as part of the validation. The smaller the boundary, the easier it is to pass the validation. Vendors typically limit the boundary to a very finite set of functions. And if anything within the security boundary changes after the validation, the validation no longer holds!
What is FIPS 140-2?
It’s a simply standard. A standard that you can code and
develop to.
It was developed by NIST and approved by the Secretary of
Commerce of the U.S. that defines how data should be encrypted. Ultimately, a vendor submits its proof to the
government that their module meets that standard.
At the end of the process, the vendor receives a certificate
(yay!).
Is FIPS 140-2 important?
Yes.
If I’m a customer, I want to make sure that the algorithms
encryption being are generally agreed to be strong. You get that if a vendor follows the
standard. But I also want to make sure
that vendors are using those algorithms correctly. That’s what going through the validation and
getting the certificate from the government highlights.
If I’m a vendor and I want to sell to the government, I
better be using approved cryptography.
And it’s an easy way to point to documentation required by and produced
from the FIPS process to answer security questions.
Do FIPS 140-2 levels matter? Are the levels important?
YMMV.
For the levels, FIPS 140-2 levels are geared for a HW-centric
world. SW modules typically only achieve
level 1 validation.
And to level up (achieve level 2), it is like having to beat the original Mega Man on the original Nintendo (it’s very hard). With level 1 you get approved cryptographic algorithms being used in approved/validated manners.
And to level up (achieve level 2), it is like having to beat the original Mega Man on the original Nintendo (it’s very hard). With level 1 you get approved cryptographic algorithms being used in approved/validated manners.
FIPS 140-2 level 2 adds tamper evidence. If you can visually inspect the device
periodically, then tamper evidence make sense.
When would this be? If you had a
relatively few of these items and you can pull out the device and inspect it. If you have thousands of these devices, and
you can’t periodically check them … then what’s the point?
Comments
Post a Comment