In the world of cryptography and cybersecurity, many organizations rely on a standard known as FIPS 140-2 validated cryptography to protect their data. But what is FIPS 140-2 exactly? FIPS 140-2 stands for Federal Information Processing Standard (FIPS) Publication 140-2, which is an American National Standard developed by the U.S. government. Federal government and private companies across various industries use cryptographic modules to protect their computer systems.
This blog post will explain what FIPS 140-2 validated cryptography is and why it's important.
What is FIPS 140-2?
FIPS 140-2 is a cryptographic standard used by the United States federal government. FIPS 140-2 defines four levels of security, each of which requires different levels of physical and logical security. Level 1 is the lowest level of security, while Level 4 is the highest.
FIPS 140-2 is a United States federal government standard that details requirements for cryptographic modules. Cryptographic modules used in products and systems must undergo rigorous testing to ensure they meet the standards set forth by FIPS 140-2. Some of the requirements for FIPS 140-2 include:
- The cryptographic module must be tamper resistant
- The cryptographic module must implement approved security functions
- The cryptographic module must provide adequate security strength
- The cryptographic module must be tested and validated
Federal Information Processing Standard (FIPS) 140-2 is a U.S. government standard that specifies requirements for cryptographic modules used within security systems to protect sensitive data. In order to be FIPS 140-2 compliant, a cryptographic module must be validated at one of the four levels.
The Different Types of Cryptography
Cryptography can be divided into three main types: symmetric, asymmetric, and hashing.
Symmetric, also known as private-key cryptography, relies on a single key that must be shared between sender and receiver: the most frequently used is Advanced Encryption Standard (AES). This protocol is utilized in Transport Layer Security (TLS) to encrypt communication between web browsers and servers.
Asymmetric or public-key cryptography has two keys that are required - a public key that is available to all and a private key that is kept secret by its owner. The Rivest-Shamir-Adleman (RSA) algorithm is the most common form of this type of encryption, which again is utilized in TLS for browser-server communication.
Hashing produces an output of a fixed size irrespective of its input size; Secure Hash Algorithm (SHA) is the most widely used hashing algorithm employed in TLS to create message digests that verify message integrity.
Pros and Cons of FIPS 140-2 Validated Cryptography
When it comes to protecting your data, using FIPS 140-2 validated cryptography is one option. Below is a chart with a few pros and cons of this solution for you to consider when deciding if FIPS 140-2 validated cryptography is suitable for your needs.
|Approved by the U.S. government||High cost|
|Provides more security||May not be supported by all platforms outside of North America.|
How to Use FIPS 140-2 Validated Cryptography?
If you're looking to use cryptography that has been validated according to the FIPS 140-2 standard, there are certain steps that need to be taken.
The National Institute of Standards and Technology (NIST) oversees a testing and validation process for cryptographic modules which must pass in order to be listed on their Validated Cryptographic Module List.
Your chosen module should meet your specific security needs, with four levels of compliance available - Level 1 is generally adequate for most commercial applications while Levels 2, 3, and 4 offer increased protection and are usually used in more sensitive environments.
When integrating the module into your product or system, you should validate that it provides an interface that allows it to work with any other relevant components.
Following these steps will ensure that your product or system benefits from the highest level of security offered by FIPS 140-2 validated cryptography.
Alternatives to FIPS 140-2 Validated Cryptography
Alternative cryptography standards to FIPS 140-2 that can be used as a substitute include AES (Advanced Encryption Standard), Camellia, and Serpent. However, each of these other options comes with its own set of pros and cons, so it is important to select the one that best serves the purpose.
Additionally, open source encryption projects like OpenSSL, GnuPG, and TrueCrypt provide other options for higher security levels without government validation.
For further options, commercial cryptographic products from renowned names such as Symantec and McAfee are available as well.
FIPS 140-3 Validated Cryptography
In 2021, the National Institute of Standards and Technology (NIST) published FIPS 140-3, which is an updated version of the FIPS 140-2 standard. The new version features more stringent requirements for cryptographic algorithms and key lengths. Additionally, it also incorporates a number of security enhancements to improve the overall level of protection provided by validated cryptography.
FIPS 140-3 validated cryptography offers an improved level of security compared to FIPS 140-2, so organizations looking for the highest possible security should consider using this standard instead of its predecessor.
FIPS 140-2/3 Validated Modules
Users in Federal Government organizations and their contractors are advised to utilize the validated module search to aid in product acquisition in the NIST Cryptographic Module Validation Program (CMVP).
Only modules tested and validated to FIPS 140-2 or FIPS 140-3 meet the requirements for cryptographic modules to protect sensitive information. Simply implementing an approved security function and acquiring algorithm validation certificates does not meet the FIPS 140-2 or FIPS 140-3 requirements. You can find the NIST module search here.
The validated modules search provides access to the official validation information of all cryptographic modules that have been tested and validated under the Cryptographic Module Validation Program. The search results list all issued validation certificates that meet the supplied search criteria and provide a link to view more detailed information about each certificate. The Certificate Detail listing provides detailed module information including algorithm implementation references to the CAVP algorithm validation, Security Policies, original certificate images or reference to the consolidated validation lists, and vendor product links if provided. If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance with the 140 standards.
FedRAMP Memo on historical FIPS Modules
The NIST Cryptographic Module Validation Program (CMVP) has moved many Federal Information Processing Standards 140 (FIPS 140) validated crypto modules to historical status due to the transition to NIST SP 800-56A Rev 3, which aims to enhance the secure key establishment algorithm using asymmetric algorithms. CSPs and 3PAOs must take the following actions regarding CMs in historical status:
- For initial authorization and continuous monitoring, CSPs must capture replacement CMs that have been submitted for testing or are listed as in-process with CMVP in the POA&M as a vendor dependency.
- They must also provide a replacement CM implementation plan and timeline to the Authorizing Official (JAB or Agency AO) for approval.
- If a replacement cannot be identified or is otherwise not planned by the CM author, CSPs must document a plan to transition to a new CM as an open POA&M for systems in continuous monitoring and redesign around a different CM for systems pursuing an initial authorization.
For readiness assessments, CSPs must document replacement CMs that have been submitted for testing or are in development with plans to submit for CMVP testing in the Mandates section in the Readiness Assessment Report (RAR). If a replacement cannot be identified or is otherwise not planned by the CM author, CSPs must redesign around a different CM and complete the implementation before pursuing FedRAMP Ready. 3PAOs must review and confirm the status and remediation plan for CMs in historical status due to SP 800-56A Rev 3 transition. You can find more detailed information on this memo here.
FIPS 140-2 validated cryptography is a beneficial tool that assists organizations to stay compliant with data protection and regulations while guarding their encryption technologies against possible attacks. It offers a way to test and confirm the correct implementation of cryptographic solutions, aligned with federal standards. With this validation in place, organizations can be certain that all the necessary steps have been taken to safeguard their sensitive data.