The Federal Information Processing Standard 140 (FIPS) are series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for cryptography modules. Federal Information Processing Standards ( FIPS) are publicly announced standards developed by the United States Federal government for use by all non-military The United States of America —commonly referred to as the The federal government of the United States is the central United States Governmental body established by the United States Constitution. This article describes how security can be achieved through design and engineering Standardization (or standardisation) is the process of developing and agreeing upon technical standards. Cryptography (or cryptology; from Greek grc κρυπτός kryptos, "hidden secret" and grc γράφω gráphō, "I write" As of December 2006, the current version of the standard is FIPS 140-2, issued on 25 May 2001. Year 2006 ( MMVI) was a Common year starting on Sunday of the Gregorian calendar. The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U Events 1085 - Alfonso VI of Castile takes Toledo Spain back from the Moors. Year 2001 ( MMI) was a Common year starting on Monday according to the Gregorian calendar.
Contents |
Purpose of FIPS 140
The National Institute of Standards and Technology (NIST) issued the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. The United States of America —commonly referred to as the FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code.
User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations.
The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The Cryptographic Module Validation Program ( CMVP) is a joint American and Canadian security accreditation program for cryptographic modules The Communications Security Establishment Canada ( CSEC or CSE) (Centre de la sécurité des télécommunications Canada ( CSTC or CST) is The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
Security levels
FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U It does not specify in detail what level of security is required by any particular application.
- FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
- FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.
- FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
- FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.
Scope of requirements
FIPS 140 imposes requirements in eleven different areas:
- Cryptographic module specification (what must be documented)
- Cryptographic module parts and interfaces (what information flows in and out, and how it must be segregated)
- Roles, services and authentication (who can do what with the module, and how this is checked)
- Finite state model (documentation of the high-level states the module can be in, and how transitions occur)
- Physical security (tamper evidence and resistance, and robustness against extreme environmental conditions)
- Operational environment (what sort of operating system the module uses and is used by)
- Cryptographic key management (generation, entry, output, storage and destruction of keys)
- EMI/EMC
- Self-tests (what must be tested and when, and what must be done if a test fails)
- Design assurance (what documentation must be provided to demonstrate that the module has been well designed and implemented)
- Mitigation of other attacks (if a module is designed to mitigate against, say, TEMPEST attacks then its documentation must say how)
Brief history
FIPS 140-1, issued on 11 January 1994, was developed by a government and industry working group, composed of vendors and users of cryptographic equipment. Tamper-evident describes a device or process that makes unauthorised access to the protected object easily detected Tamper resistance is resistance to tampering by either the normal users of a product package or system or others with physical access to it An operating system (commonly abbreviated OS and O/S) is the software component of a Computer system that is responsible for the management and coordination Electromagnetic compatibility (EMC is the branch of electrical sciences which studies the unintentional generation propagation and reception of electromagnetic energy with reference to TEMPEST is a Codename referring to investigations and studies of compromising emanations (CE Events 1055 - Theodora is crowned Empress of the Byzantine Empire. Year 1994 ( MCMXCIV) was a Common year starting on Saturday (link will display full 1994 Gregorian calendar) The group identified the four "security levels" and eleven "requirement areas" listed above, and specified requirements for each area at each level.
FIPS 140-2, issued on 25 May 2001, takes account of changes in available technology and official standards since 1994, and of comments received from the vendor, tester, and user communities. The Federal Information Processing Standard ( '''FIPS''') Publication 140-2 FIPS PUB 140-2 is a U Events 1085 - Alfonso VI of Castile takes Toledo Spain back from the Moors. Year 2001 ( MMI) was a Common year starting on Monday according to the Gregorian calendar. It was the main input document to the international standard ISO/IEC 19790:2006 Security requirements for cryptographic modules issued on 1 March 2006. The International Electrotechnical Commission ( IEC) is a not-for-profit, non-governmental international Standards organization that prepares and publishes Events 86 BC - Lucius Cornelius Sulla, at the head of a Roman Republic army enters in Athens, removing the Tyrant Year 2006 ( MMVI) was a Common year starting on Sunday of the Gregorian calendar.
FIPS 140-3 is a new version of the standard which is currently under development.
External links
- Full text of FIPS 140-2
- General information about Federal Information Processing Standards; includes pointers to FIPS 140-2 and its annexes
- List of FIPS 140-2 Testing Labs
- Opensource FIPS 140-2 Validation Project for Mozilla NSS
Dapyx Software network: MP3 Explorer | Ebook Manager | Zenithic