FIPS 140-2 - Security requirements for cryptographic modules
FIPS 140-1, now superceded by FIPS 140-2, has been made mandatory and binding by the USA Secretary of Commerce and is applicable to all U.S. Government departments and agencies which use cryptographic-based security systems to protect unclassified information within computer and telecommunication systems (including voice systems) that are not national security systems.
NVLAP accredited Cryptographic Modules Testing (CMT) laboratories perform validation testing of cryptographic modules. Cryptographic modules are tested against requirements found in FIPS PUB 140-2, Security Requirements for Cryptographic Modules. Security requirements cover 11 areas related to the design and implementation of a cryptographic module.
The 11 areas are:
- Cryptographic Module Specification
- Cryptographic Module Ports And Interfaces
- Roles, Services, And Authentication
- Finite State Model
- Physical Security
- Operational Environment
- Cryptographic Key Management
- Electromagnetic Interference/Electromagnetic
- Self-Tests
- Design Assurance
- Mitigation Of Other Attacks
Within most areas, a cryptographic module receives a security level rating (1-4, from lowest to highest), depending on what requirements are met. For other areas that do not provide for different levels of security, a cryptographic module receives a rating that reflects fulfillment of all of the requirements for that area.
An overall rating is issued for the cryptographic module, which indicates (1) the minimum of the independent ratings received in the areas with levels, and (2) fulfillment of all the requirements in the other areas. On the validation certificate, individual ratings are listed, as well as the overall rating. It is important for users of cryptographic modules to realise that the overall rating of a cryptographic module is not necessarily the most important rating. The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented, which includes understanding what risks the cryptographic module is intended to address.
All Senetas Security products are designed to the following FIPS 140-2 levels
- Key Management - Level 3
- Module Interfaces - Level 3
- Roles and Services - Level 3
- Software Security - Level 3
- Self Tests - Level 3
- EMI/EMC - Level 3
- Cryptographic Module Design - Level 2
- Finite State Machine Model - Level 2
- Physical Security - Level 2
A user can be confident that a product that's been evaluated to FIPS 140-2 will meet the stated security levels.
