FIPS 140-2: Just Buzzword Bingo?

Wednesday, June 15, 2011

Jonathan Lampe

85612d572d689128ab07f369ff934d02

 

I recently received an inquiry from a reporter that read like this:

"Are you comforted, or left cold when you hear a product has FIPS 140-2 validation that guarantees it's implementing encryption modules correctly?"
 
"Assuming secure data transmission or storage is important in the use case, is this buzzword bingo or a valuable asset?"

My reply to this inquiry was uncharacteristically short:

"Today, fully validated FIPS 140-2 cryptography modules come free or bundled with your OS, your Java runtime, several application packages and some hardware components. These implementations are typically available for your own applications through well-documented APIs."

"Not using FIPS 140-2 cryptography in the year 2011 is like opening a savings account at a bank without the FDIC’s $250K-per-account guarantee. You could do it, and it might work, but why take the risk when a safer option is available for no extra charge?"

I am not the type of person who would insist that everyone use FIPS-validated algorithms for every operation.

But, if your IT department intersects with the finance, health care, government or energy sectors, or is subject to regulations such as PCI-DSS, then you should be using FIPS 140-2 validated cryptography now to protect data-in-transit and data-at-rest.  

When the cost to mitigate risk is zero, why not?  

Possibly Related Articles:
6788
General General
Information Security
Encryption Storage Data Loss Prevention Information Technology E2EE FIPS 140-2
Post Rating I Like this!
Default-avatar
Charles S. The statement that:

"Today, fully validated FIPS 140-2 cryptography modules come free or bundled with your OS, your Java runtime, several application packages and some hardware components. These implementations are typically available for your own applications through well-documented APIs."

...is not true.

Yes, the security modules found in your operating system may share the same names as modules that have been validated FIPS 140-2 compliant, but that does not mean that your system is FIPS 140-2 compliant.

The cost for FIPS 140-2 compliance far from zero. Many times, these libraries or frameworks need to be configured or built with very strict guidelines to be considered the same product that has received the FIPS 140-2 validation.

I have done FIPS 140-2 compliance tasks firsthand with:
OpenSSL
OpenSSH
Sun Java 6
Apache Tomcat 5.5 and 6.0
Mozilla NSS

I can tell you that none of these modules are operating in a FIPS 140-2 compliant mode by default, getting them into a FIPS 140-2 compliant mode is not trivial, and operating in a FIPS 140-2 compliant mode is not always a good idea for compatibility reasons.
1311279305
Default-avatar
Charles S. Allow me to clarify the business cases that someone will want to invest in the time and expenses necessary to achieve FIPS 140-2 validation, not just compliance:

When you want to sell anything that is cryptographically relevant to the DoD or any government working group that looks to the DoD for security specifications. This is not going to be your typical enterprise customers, but specific government entities that require the assurance of cryptographic integrity that FIPS 140-2 provides.
1311308249
Default-avatar
alen adrian Year 2012 has been quite eventful. SRSG also witnessed events and evolved in terms of business verticals, technologies, people and processes."
http://www.yebhi.com
1407395037
Default-avatar
alen adrian A lot more has to say about FIPS or the Federal Information Processing Standard. It is basically used to accredit the cryptographic modules. Though it was initially announced in the year 2001, the last updating has been done in 2002.
http://www.qspray.com
1407469906
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.