Security News

FIPS 140-2 security requirements

security requirements in cryptographic modules

FIPS (Federal Information Processing Standard) 140-2 is a set of standards established by the National Institute of Standards and Technology (NIST) for security requirements in cryptographic modules used in government systems. Cryptographic modules are computer hardware or software that protect data through encryption or other cryptographic methods. The purpose of the FIPS 140-2 standard is to provide a level of assurance that these cryptographic modules are secure and will protect sensitive information from unauthorized access or tampering.

FIPS 140-2 security levels

The standard defines four security levels, each representing an increased security level. The levels range from minimal protection to the highest level of security available. They are intended to provide organizations with a way to choose a cryptographic module that meets their specific security requirements. The four security levels are as follows

  1. Level 1

    This level provides basic protection and is used for applications where cost is a primary consideration. The security requirements at this level are minimal and are designed to prevent the most basic attacks.

  2. Level 2

    This level provides increased security compared to Level 1 and is used for applications where security is more important than cost. This level includes additional security requirements such as key generation, storage, and operational security.

  3. Level 3

    This level offers the highest level of security available under the FIPS 140-2 standard and is used for applications that require the highest level of security. At this level, cryptographic modules must provide multiple layers of security and must be tested against a comprehensive set of attacks.

  4. Level 4

    This level provides the ultimate level of security and is used for applications that require the protection of classified information. Cryptographic modules at this level must meet stringent security requirements and be tested against various sophisticated attacks.

Level Release Date Physical Security Cryptographic Key Management Approved Algorithms
1 May 25, 2006 Basic Limited AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA
2 May 25, 2006 Intermediate Improved AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA
3 May 25, 2006 High Robust AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA
4 May 25, 2006 High Robust AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA
Table 2 : FIPS 140-2 Security Levels Comparison Chart

Security Levels Comparison based on

Physical Security

  1. Level 1

    Basic physical security mechanisms, such as tamper-evident packaging, are in place.

  2. Level 2

    Intermediate physical security mechanisms, such as tamper-evident packaging and secure power and reset controls, are in place.

  3. Level 3

    High physical security mechanisms, such as tamper-evident packaging, secure power and reset controls, and physical protection against tampering and unauthorized access, are in place.

  4. Level 4

    The highest level of physical security, with physical protection against tampering and unauthorized access and a secure environment for the module.

Cryptographic Key Management

  1. Level 1

    Limited key management, with the keys generated and used within the module.

  2. Level 2

    Improved key management, with the keys generated, stored, and used within the module, and the ability to securely update keys.

  3. Level 3

    Robust key management, with secure key generation, storage, and use, and the ability to securely update keys.

  4. Level 4

    The highest level of key management, with secure key generation, storage, use, and the ability to securely update keys, and a secure environment for the module.

Approved Algorithms

  1. Level 1, 2, and 3

    AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA algorithms are approved for use at each level.

  2. Level 4

    AES, DES/3DES, RC2, RC4, SHA-1/224/256/384/512, DSA, ECDSA algorithms are approved for use at this level.

It’s important to note that the specific security requirements for each level and the algorithms approved for use at each level may be subject to change as technology and security needs evolve.

FIPS 140-2 Security Levels Key Features

Cryptographic algorithms

Cryptographic algorithms play a crucial role in protecting sensitive information and are an important consideration when choosing a cryptographic module. FIPS 140-2 requires that all cryptographic algorithms used in cryptographic modules be approved by NIST and strong enough to provide the required level of security. In addition, the standard requires that cryptographic algorithms be implemented correctly in the cryptographic module to ensure the desired level of security is achieved.

Key management

Key management is a vital component of any cryptographic system, and FIPS 140-2 requires that all cryptographic modules implement secure key management processes. The standard specifies key generation, storage, and transmission requirements to ensure that cryptographic keys are protected from unauthorized access or tampering. This includes requirements for secure key storage, secure key transmission, and the use of secure key escrow processes.

Physical security

Physical security is a vital aspect of protecting cryptographic modules, and the FIPS 140-2 standard specifies requirements for the physical security of cryptographic modules. This includes requirements for the environment in which the cryptographic module must operate, such as temperature, humidity, and electromagnetic interference, and for physical protection from tampering or theft.

Operational security

Operational security refers to the security of the cryptographic module during normal operation, and the FIPS 140-2 standard specifies requirements for operational security. This includes requirements for user authentication, access control, audit logging, and protecting the cryptographic module against unauthorized access, tampering, or modification.

Testing and certification

To ensure compliance with the FIPS 140-2 standard, cryptographic modules must undergo extensive testing by an accredited third-party laboratory. The laboratory must be accredited by NIST and must follow the procedures specified in the standard. Once the cryptographic module has been tested and certified as compliant with the standard, it can be used in government systems that use cryptographic modules that meet the FIPS 140-2 security requirements.

Conclusion

In conclusion, using FIPS 140-2 cryptographic modules assures organizations that their cryptographic systems meet rigorous security requirements and are suitable for protecting sensitive information. By requiring strict security requirements for key management, physical security, operational security, and testing and certification, the FIPS 140-2 standard guarantees that their cryptographic systems are secure, and that sensitive information is protected against unauthorized access or tampering.

The standard provides a clear framework for evaluating cryptographic modules and helps organizations to choose a cryptographic module that meets their specific security needs.

It is important for organizations to be aware of the security requirements specified by the FIPS 140-2 standard and to choose cryptographic modules that meet the standard’s requirements. This will ensure that their cryptographic systems are secure and provide the required level of protection for sensitive information. 

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

Prabhat Kumar Tomar is a Consultant at Encryption Consulting, working with PKIs, HSMs, and working as a consultant with high-profile clients.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo