The Cryptographic Standard
Apr 1, 2006 12:00 PM, BY LARRY DIETZ
Government organizations are required to follow stringent guidelines for safeguarding their communications and the data in their possession. Experts recognize that cryptographic systems must be subjected to rigorous testing and evaluation before implementation.
Standards are used to classify cryptographic tools and systems. In the U.S. Federal Government, FIPS 140-2 offers an approach for consistent standard assignment and methodology.
The Federal Information Processing Standard (FIPS) 140-2, Security Requirements for Cryptographic Modules, is a government standard that validates security claims for products using cryptography through the National Institute of Standards and Technology.
For technology suppliers to the U.S. Federal Government, FIPS 140-2 product validation and standardization often require a significant investment of time and dollars for accreditation and documentation. However, following the government's data protection agenda yields greater opportunities for partnership. By law, U.S. government purchasing agents must purchase products that are validated for FIPS 140-2 (or it predecessor, 140-1) over those that are not.
FIPS 140-2 specifies the security requirements to be satisfied by a cryptographic module used within a security system for computer and telecommunication systems, including voice, that protect sensitive but unclassified (SBU) information. Signed on June 22, 2001, FIPS 140-2 supersedes FIPS 140-1 and places additional, more stringent requirements in a number of security areas.
There are four levels of security to FIPS 140-2, from Level 1, the lowest, to Level 4, the highest. Level 1 specifies basic security requirements for a cryptographic module, such as a PC encryption board. This level enables the software and firmware components of a cryptographic module to be executed on a general-purpose computing system using an unevaluated operating system. No authentication or role-based authentication is required.
Security Level 2 enhances the physical security mechanisms of a cryptographic module meeting Security Level 1 requirements by adding the requisite for tamper-evident coatings or seals or pick-resistant locks. This level calls for role-based authentication of users.
Security Level 3 builds on the requirements of Levels 1 and 2, particularly the tamper-evident physical security mechanisms, by requiring enhanced physical security that aims at preventing intruders from gaining access to critical security parameters held within the cryptographic module. Level 3 also calls for identity-based authentication to augment the security provided by the role-based authentication mechanisms outlined in Level 2. In addition, Security Level 3 requires that the entry or output of plain text critical security parameters use ports that are physically separated from other ports.
Security Level 4 provides the highest level of security defined in FIPS 140-2. This level provides a complete envelope of protection around the cryptographic module to detect and respond to unauthorized attempts at physical access. If this protection is penetrated, all plain text critical security parameters within the module are zeroed.
Cryptographic-based security systems are typically used in a variety of applications, environments and industries. From data storage, network communications and access control to video, radio and even facsimile, cryptographic systems are an integral component of many business programs and applications. These systems are also found across a range of industries, from financial services and health care to government.
The cryptographic services offered by a cryptographic module — whether encryption, authentication, key management or digital signatures — are based on application- and environment-specific factors. The appropriate security level for a specific cryptographic module must, in turn, meet the security requirements of both the application and environment in which the module will be used as well as services the module will provide.
Government standards such as FIPS 140-2 also require that remote sessions remain protected. To that end, these solutions must be validated to meet FIPS 140-2 requirements and provide strong encryption such as 256-bit cipher strength AES encryption in order to protect both the authorization process and the data stream itself from eavesdropping and hacker attacks.
ABOUT THE AUTHOR
In his current position at Symantec Corp., Larry Dietz leads government solutions market development focusing on the federal, military and intelligence segments.
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Story Missing Your Link?
Is the above story missing a link? Is it missing a link to your company, or your website? If this is the case please e-mail us and we'll add the link as soon as possible. Thank you!
advertisement
