FIPS 140-2
Encyclopedia : F : FI : FIP : FIPS 140-2
The Federal Information Processing Standard (FIPS) Publication 140-2 1, called Security Requirements for Cryptographic Modules, is a United States security standard used to certify cryptographic modules, published in 2001.
Cryptographic Module Validation program
The Cryptographic Module Validation Program 2 was established by the US National Institute of Standards and Technology 3 (NIST) and the Communications Security Establishment 4 (CSE) of the Government of Canada in July 1995.Security programs overseen by NIST and CSE focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.
User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations.
FIPS 140-2 testing in this program
The FIPS 140-2 standard is an information technology security accreditation program for cryptographic modules produced by private sector vendors who seek to have their products certified for use in government departments and regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate "sensitive, but not classified" information.Laboratories doing the testing
All of the tests under the CMVP are handled by third-party laboratories that are accredited as Cryptographic Module Testing 5 laboratories by the National Voluntary Laboratory Accreditation Program 6. Vendors interested in validation testing may select any of the nine accredited labs.NVLAP accredited Cryptographic Modules Testing laboratories perform validation testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Security requirements cover 11 areas related to the design and implementation of a cryptographic module. Within most areas, a cryptographic module receives a security level rating (1-4, from lowest to highest), depending on what requirements are met. For other areas that do not provide for different levels of security, a cryptographic module receives a rating that reflects fulfillment of all of the requirements for that area.
Validation
An overall rating is issued for the cryptographic module, which indicates:- the minimum of the independent ratings received in the areas with levels, and
- the fulfillment of all the requirements in the other areas.
NIST maintains validation lists 7 for all of its cryptographic standards testing programs (past and present). All of these lists are updated as new modules/implementations receive validation certificates from NIST and CSE. Items on the FIPS 140-1 and FIPS 140-2 validation list reference validated algorithm implementations that appear on the algorithm validation lists.
See also
References
- Note 1: [FIPS 140-2 documents]
- Note 2: [CMVP website]
- Note 3: [NIST Computer Security website]
- Note 4: [CSE website]
- Note 5: [Cryptographic Module Testing laboratories]
- Note 6: [NVLAP]
- Note 7: [Validation lists]
- Other NIST publications can be viewed [here].
- [Opensource FIPS 140-2 Validation of Mozilla NSS]
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.