Initially developed for US Federal agencies using cryptographic based security
systems, the FIPS 140-1 standard became a widely used benchmark
throughout the business world. FIPS 140-2 is an updated version of
the original standard and product validations to the new standard superseded
FIPS 140-1 in May 2002. Today, all new validations are carried out to FIPS 140-2 version of the standard. Validations to FIPS 140-1 remain valid.
For a product to obtain FIPS 140 validation it has to be submitted to
an independent accredited test facility which will evaluate it and recommend
to NIST the appropriate one of the 4 security levels which the product
meets. Security level 1 is the lowest and security level 4 is the highest.
The certificate confirming the product’s security rating is issued
by NIST and documented on its website.
Thales e-Security has a long history of having its products validated
to the FIPS 140 standard together with a number of other international
and national security schemes. Validation provides customers with the
confidence that they are purchasing products whose security has been
proven independently.
Briefly, the four security levels under FIPS 140-1 or FIPS 140-2 have
the following meanings.
- Level 1, provides the most elementary level of assurance.
Only basic security requirements are specified. No specific physical
security mechanisms
are required beyond the use of production grade components. An example
of a Level 1 product might be a PC encryption card (which simply
accelerates the rate at which the PC can encrypt data, and makes no
claim about security
of cryptographic keys)
- Level 2, enhances the security mechanisms of Level
1 by adding the requirement for tamper evidence. This means that in
order to obtain
access to any
Critical Security Parameter (CSP, eg secret or private keys), a coating
or seal must be broken to gain access. Level 2 requires as a minimum,
role based authentication in which the cryptographic module authenticates
the authorisation of an operator to assume a specific role and perform
a corresponding set of services (for example the loading of CSPs).
Only a modest level of design documentation is required.
- Level 3, In addition to the tamper evident physical
security mechanisms of Level 2, this level attempts to prevent an intruder
from gaining
access to CSPs by the use of physically strong enclosures and/or measures
to
detect and respond to penetration attacks by actively erasing CSPs.
Identity based user authentication mechanisms must be employed and
software must
be written in a high level language. Entry of plaintext CSPs must be
via dedicated ports. Most complete cryptographic products (hardware
and application software) fall into this category. Such products will
normally
be used in environments when some degree of physical access control
is in place, eg a computer centre.
- Level 4, the highest level available. Physical security mechanisms
must provide a complete envelope of protection around the cryptographic
module
so that any means of access is detected and results in erasure of all
CSPs. This level also protects the module against security compromise
due to environmental conditions or fluctuations beyond the normal operating
ranges of voltage and temperature. Software must be designed using
formal modelling techniques. Such products are useful in environments
where
no physical access control is provided.
In Thales e-Security our policy has been to ensure the secure cryptographic
module used inside products (known as the Secure Generic Sub-System
- SGSS) is validated to at least Level 3.
Where market conditions require it, products which incorporate the SGSS
are also validated to FIPS 140-2 Level 2 or 3 as appropriate. In these cases
such validation covers the complete product hardware and software environments
together with the cryptographic algorithms and functions.
|
