Mythics Blog

Evaluating Cryptographic Modules Using FIPS 140-2

Posted on April 29, 2013 by Sean Wang

Tags: Mythics Consulting, FIPS, Security

Federal Information Processing Standards (FIPS) 140-2 is used to accredit cryptographic modules (hardware and software) used on federal government computer systems that process sensitive information.  FIPS 140-2 defines four Security Levels (namely Level 1 to Level 4) and 11 requirements. Cryptographic modules are accredited at different levels based on how they meet the requirements. The actual tests are conducted under Cryptographic Module Validation Program (CMVP). It is important for any vendor supplying cryptographic modules to federal information systems to have their products accredited.

The 11 requirements defined in FIPS 140-2 are:

  • Cryptographic Module Specification
  • Cryptographic Module Ports and Interfaces
  • Roles, Services and Authentication
  • Finite State Model
  • Physical Security
  • Operational Environment
  • Cryptographic Key management
  • Self-Tests
  • Design Assurance
  • Mitigation of Other Attacks

While some requirements are the same for all four Security Levels, such as, Cryptographic Module Specification, and Finite State Model, some other requirements are very specific for each Security Level, such as Physical Security, Operational Environment and Design Assurance. Cryptographic modules are evaluated more specifically on those requirements when accredited for certain Security Level.

For example, Physical Security, Level 1 has no requirement for “specific physical security mechanisms” other than “the basic requirement for production-grade components.”  Level 2 enhances Level 1 by adding the requirement of temper-evidence. Level 3 adds additional requirement of temper detection and response to attempts to gain access. Level 4, the highest level, adds further requirement beyond Level 3, a complete envelop around the cryptographic module.

Similarly, for other requirements, enhanced security mechanisms are introduced when moving up on the Security Level. A cryptographic module must pass all the appropriate requirements of a particular level for it to be accredited at that level, that is, the overall rating of the Security Level of a cryptographic module is the lowest individual rating of all the requirement areas.

What Security Level can your cryptographic module be accredited at?


  • ! No comments yet

Leave a Comment