FIPS 140-3

From Wikipedia, the free encyclopedia

The Federal Information Processing Standard (FIPS) Publication 140-3 (Draft)^[1] is a U.S. government computer security standard used to accredit cryptographic modules. The title is Security Requirements for Cryptographic Modules. The publication is still in draft and has not been officially issued. It is scheduled for signature by the Secretary of Commerce in August 2013.

FIPS 140-3 (Draft) is the proposed revision of FIPS 140-2. The draft has a separate section for software security; requires mitigation of non-invasive attacks when validating at higher security levels; introduces the concept of public security parameters; allows the deference of certain self-tests until specific conditions are met; and strengthens the requirements on user authentication and integrity testing.^[1]

Purpose

The National Institute of Standards and Technology (NIST) issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. Federal agencies and departments can validate that the module in use is covered by an existing FIPS 140-2 certificate that specifies the exact module name, hardware, software, firmware, and/or applet version numbers. The cryptographic modules are produced by the private sector or open source communities for use by the U.S. government and other regulated industries (such as financial and health-care institutions) that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. A commercial cryptographic module is also commonly referred to as a Hardware Security Module.

Cryptographic Module Validation Program

FIPS 140-2 establishes the Cryptographic Module Validation Program (CMVP) as a joint effort by the NIST and the Communications Security Establishment (CSEC) for the Canadian government.

Security programs overseen by NIST and CSEC focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

References

↑ 1.0 1.1 "FIPS-140 -3: DRAFT Security Requirements for Cryptographic Modules (Revised Draft)". NIST. 2009-12-11. Retrieved 2013-05-18.

External references

"FIPS-140 -3: DRAFT Security Requirements for Cryptographic Modules (Revised Draft)". NIST. 2009-12-11. Retrieved 2013-05-18.
"FIPS 140-3 PUB Development". NIST. 2013-04-30. Retrieved 2013-05-18.
"Cryptographic Module Validation Program (CMVP)". NIST. 2013-04-05. Retrieved 2013-05-18.

v t e Cryptography

History of cryptography Cryptanalysis Cryptography portal Outline of cryptography

Symmetric-key algorithm Block cipher Stream cipher Public-key cryptography Cryptographic hash function Message authentication code Random numbers Steganography

This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.

FIPS 140-3

Purpose

Cryptographic Module Validation Program

See also

References

External references