Difference between revisions of "FIPS 140"
(→Context) |
(→Context) |
||
(9 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Full Title== | ==Full Title== | ||
− | Federal Information Processing Standard 140 Security Requirements for Cryptographic Modules. | + | Federal Information Processing Standard 140 Security Requirements for [[Cryptographic Modules]]. |
+ | |||
==Context== | ==Context== | ||
− | Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3. | + | * A new approach to release NIST SP 800-14B [https://mail.google.com/mail/u/0/?q=ccg#inbox/FMfcgzGqQwDLzGxwqMzpnqcbCStzJWQf CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B], is scheduled for public comment by 2022-12-05 |
+ | * Latest version as of 2019-05-22 is [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf FIPS 140-3], version 3. | ||
+ | * The newer version are issued as a joint effort with the Canadians called CMVP. | ||
+ | * An interesting article on how [https://a2d2.medium.com/good-things-fall-apart-3db6764737c4 Good Things Fall Apart] CAVP, CMVP, FIPS 140–3, and why we need a better way to measure good cryptography with ideally less acronyms | ||
− | + | ==Open Source== | |
− | + | * Originally FIPS implementations were very expensive to get approved by the NVLAP (now CAVP) process and so were closed source. | |
− | https:// | + | * On 2023-10-05 [https://aws.amazon.com/blogs/security/aws-lc-is-now-fips-140-3-certified/ AWS-LC is now FIPS 140-3 certified] AWS created a Open Source version that was FIPS 140-3 certified. This is needed to create wallets of the type required by the DHS SVIP grant program. |
+ | * On 2022-08-23 [https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/ OpenSSL 3.0 FIPS 140-2 Validation Certificate Issued] | ||
==Comparisons== | ==Comparisons== | ||
Line 14: | Line 19: | ||
ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules, is an international standard based on updates of the earlier versions of FIPS 140, Security Requirements for Cryptographic Modules. ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules is an international standard based on the Derived Test Requirements for FIPS 140-2, Security Requirements for Cryptographic Modules. It is currently in the best interest to use these standards, superseding those sections where national standards are permitted. Therefore, FIPS 140-3 is based on ISO/IEC 19790:2012/Cor.1:2015(E) and ISO/IEC 24759:2017(E). The following documents identify those elements that are superseded or modified. | ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules, is an international standard based on updates of the earlier versions of FIPS 140, Security Requirements for Cryptographic Modules. ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules is an international standard based on the Derived Test Requirements for FIPS 140-2, Security Requirements for Cryptographic Modules. It is currently in the best interest to use these standards, superseding those sections where national standards are permitted. Therefore, FIPS 140-3 is based on ISO/IEC 19790:2012/Cor.1:2015(E) and ISO/IEC 24759:2017(E). The following documents identify those elements that are superseded or modified. | ||
+ | |||
+ | The supported crypto suites are in the [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-140C.pdf SP 800-140C] doc. | ||
+ | |||
+ | The following search will show the versions of SP 800-140 that override the appendices in the ISO standard. | ||
+ | |||
+ | https://csrc.nist.gov/search?keywords=sp+800-140&ipp=25&sortBy=relevance&showOnly=publications%2Cprojects%2Cnews%2Cevents%2Cpresentations%2Cglossary%2Ctopics&topicsMatch=ANY&status=Final%2CDraft&series=FIPS%2CSP%2CNISTIR%2CITL+Bulletin%2CWhite+Paper%2CBuilding+Block%2CUse+Case%2CJournal+Article%2CConference+Paper%2CBook | ||
==References== | ==References== | ||
Line 20: | Line 31: | ||
[[Category: Security]] | [[Category: Security]] | ||
[[Category: Standard]] | [[Category: Standard]] | ||
+ | [[Category: Cryptography]] |
Latest revision as of 14:15, 15 February 2024
Full Title
Federal Information Processing Standard 140 Security Requirements for Cryptographic Modules.
Context
- A new approach to release NIST SP 800-14B CMVP Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B, is scheduled for public comment by 2022-12-05
- Latest version as of 2019-05-22 is FIPS 140-3, version 3.
- The newer version are issued as a joint effort with the Canadians called CMVP.
- An interesting article on how Good Things Fall Apart CAVP, CMVP, FIPS 140–3, and why we need a better way to measure good cryptography with ideally less acronyms
Open Source
- Originally FIPS implementations were very expensive to get approved by the NVLAP (now CAVP) process and so were closed source.
- On 2023-10-05 AWS-LC is now FIPS 140-3 certified AWS created a Open Source version that was FIPS 140-3 certified. This is needed to create wallets of the type required by the DHS SVIP grant program.
- On 2022-08-23 OpenSSL 3.0 FIPS 140-2 Validation Certificate Issued
Comparisons
In 2001, FIPS 140-2 superseded FIPS 140-1. FIPS 140-2 incorporated changes in applicable standards and technology since the development of FIPS 140-1 as well as changes that were based on comments received from the vendor, laboratory, and user communities. Though the standard was reviewed after 5 years, consensus to move forward was not achieved until publication of the 2012 revision of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 19790
FIPS 140-3 supersedes FIPS140-2. FIPS 140-3 aligns with ISO/IEC 19790:2012(E) and includes modifications of the Annexes that are allowed to CMVP (as a validation authority). The testing for these requirements will be in accordance with ISO/IEC 24759:2017(E), with the modifications, additions or deletions of vendor evidence and testing allowed as a validation authority under paragraph 5.2. Major changes in FIPS 140-3 are limited to the introduction of non-invasive physical requirements.
ISO/IEC 19790:2012(E), Information technology — Security techniques — Security requirements for cryptographic modules, is an international standard based on updates of the earlier versions of FIPS 140, Security Requirements for Cryptographic Modules. ISO/IEC 24759:2017(E), Information technology — Security techniques — Test requirements for cryptographic modules is an international standard based on the Derived Test Requirements for FIPS 140-2, Security Requirements for Cryptographic Modules. It is currently in the best interest to use these standards, superseding those sections where national standards are permitted. Therefore, FIPS 140-3 is based on ISO/IEC 19790:2012/Cor.1:2015(E) and ISO/IEC 24759:2017(E). The following documents identify those elements that are superseded or modified.
The supported crypto suites are in the SP 800-140C doc.
The following search will show the versions of SP 800-140 that override the appendices in the ISO standard.
References
- See wiki page Hardware Protection for a discussion of hardware versus software protection.