When people talk about "FIPS Certification" in connection with computer security, what they're usually talking about is the Federal Information Processing Standard (FIPS) Publication 140-2, a federal standard used to accredit cryptographic "engines" inside of software or hardware implementations. The FIPS 140-2 program tests security software and hardware approved for government "sensitive, but un-classified (SBU)" information. Over the years, Mocana has built substantial expertise in attaining FIPS 140-2 certification, and virtually every Mocana product either comes standard with FIPS-certified cryptographic modules or has it available as an option.
For software, only binary software implementations compiled for specific OS and hardware environments can receive certificates. Uncompiled source code or mathematical algorithms, in and of themselves, are never certified under FIPS 140-2.
NIST, the National Institute of Standards and Technology wrote the FIPS 140 Publication Series to standardize federal requirements for cryptography modules whether they be implemented in software, hardware, or a combination of both. Most federal agencies and departments require that any computer security implementations that they, or their contractors use, contain only FIPS-certified cryptographic modules. So for companies selling security products to the Federal government, contractors or allies overseas, FIPS certification is crucial.
Federal buyers can validate that the crypto "engine" inside of a Mocana product is certified anytime, by asking Mocana to present the FIPS 140-1 and/or FIPS 140-2 certificates (issued by NIST) which specify the exact module that NIST tested, when, as well as the hardware, software, firmware, and/or applet version numbers.
FIPS Cryptographic Module Validation Program
FIPS 140-2 lays out the government's Cryptographic Module Validation Program (CMVP), a joint effort of NIST and the Canadian Communications Security Establishment (CSE). In addition to supporting module testing and validation projects, the CMVP program also helps develop, manage and promote security assessment tools, techniques and services. As part of its FIPS-mandated work, the CMVP develops and maintains security metrics, creates evaluation methodologies, sets criteria for certification in the lab, guides users on the proper application of tested products, and coordinates with industry standards bodies.
FIPS Security Levels
FIPS 140-2 identifies four levels of security, from "Level 1" to "Level 4", but it doesn't advise on what level of security you should use for a specific application.
Level 1
FIPS 140-2 Security Level 1 provides the most basic level of security, but is the highest certification allowed for software-only products. At least one "Approved" algorithm or "Approved" security function must be used inside the cryptographic module evaluated. No physical security mechanisms (like tamper-proofing) are required in Level 1 modules beyond the basic requirement for "production-grade components." Virtually all Mocana products, including NanoSSH, NanoSec and NanoSSL can be purchased with integrated FIPS 140-2 Level 1 certified cryptographic modules. For some Mocana products, FIPS-certified crypto is standard. For other products, it is an option. Ask your sales representative for more information or email sales@mocana.com.
Level 2
FIPS Level 2 requires physical tamper-proofing features on top of the requirements of Level 1. This can include tamper-evident seals, covers or coatings that must be broken to access to electronically stored cryptographic keys (or other "critical security parameters" within the module. For secured facilities, pick-resistant locks and doors should protect against access by unauthorized persons.
Level 3
In addition to the requirements of Level 2, Level 3 specifies additional measures to prevent intruders from gaining access to keys and other critical security parameters inside the cryptographic module. Physical security mechanisms required in Level 3 are designed to deliver a high probability of detecting and responding to physical access attempts, or unauthorized use or changes to a cryptographic module. The mechanisms can include strong enclosures or tamper-response circuitry that destroys cryptographic keys if disturbed.
Level 4
Security Level 4 provides the highest level of security. In addition to the protections of levels 1 through 3, Level 4 protections provide a complete envelope of security around the cryptographic module for the purpose of detecting and responding to all unauthorized attempts at physical access. Penetration of the cryptographic module enclosure should result in a very high probability of being detected. Once detected, all plaintext keys and CSPs must be destroyed. Security Level 4 cryptographic modules are useful for operation in unprotected, untrustworthy settings, and can also protect keys against accidental disclosure due to environment-induced enclosure failures or voltage fluctuations.
Getting Tested for FIPS
Most of the time, customers requiring FIPS certification will be satisfied that you built your product using a professionally developed solution that itself contains FIPS 140-2 Level 1 certified cryptographic modules. Virtually all of the components that make up Mocana's Device Security Framework fit this description, as well as popular Mocana products like NanoSSH, NanoSSL and NanoSec. Occasionally, though, your customer will demand that your total implementation be validated, and in that case, you'll need the product to be tested. All of the CMVP tests are run by third-party laboratories that are accredited as Cryptographic Module Testing laboratories laboratories by NIST's National Voluntary Laboratory Accreditation Program. You're allowed to use any of the thirteen accredited labs. For a list of accredited labs, contact your Mocana sales rep at sales@mocana.com.
Once testing is completed, an overall rating is issued for your cryptographic module, which specifies the lowest of the independent ratings received in the "level areas" and the fulfillment (or lack thereof) of all the requirements in the other areas. On your validation certificate, individual ratings are listed, as well as your overall rating.
NIST keeps validation lists for all of its cryptographic standards testing programs, and these lists are updated as new products receive validation certificates.
Mocana Can Help
Still confused about FIPS certification? We're experts, and we're here to help. Call us at 415 617-0055 or email us anytime at sales@mocana.com.
