Encryption and NIST FIPS 140 (FIPS 140-2)
In April 2022, NIST stopped accepting applications for validation certificates for the FIPS 140-2 standard of security in lieu of the updated FIPS 140-3. While many companies are still waiting for their FIPS 140-2 certification (if they got their application in before the April deadline), many are now considering adopting the new 140-3 standard.
But, to understand the new standard, it’s important to understand the old. FIPS 140-2 has been the NIST standard for cryptography for almost two decades, and its impact will still be felt for years to come.
What Is FIPS 140-2?
The Federal Information Processing Standard Publication (FIPS) 140-2 is a publication by the National Institute of Standards and Technology (NIST) that defines the requirements for cryptographic modules used in federal security applications.
In this context, it’s important to understand what a “cryptographic module” is. When we think of cryptography, we often think of encryption and obfuscation–which is true, and a necessary part of the process. However, a module is better understood as the combination of hardware, software, and firmware that implements cryptographic security functions:
- Software: What we normally think of when we think of cryptography. This includes software implementations of encryption of any kind, md5 hashing, and other techniques.
- Hardware: Hardware-based cryptography will use part of the system’s hardware to aid in encryption, providing more dedicated resources to improve speed and complexity. Additionally, hardware encryption can encrypt information in memory, depending on the implementation, which can obfuscate information while it’s being used.
- Firmware: Most pieces of hardware have small pieces of stable software installed in them, called firmware, that helps them integrate with other hardware and operating systems. Hackers can obviously compromise firmware, as they can any other software, and thus compromise the device. Firmware encryption protects this information.
In most consumer and many enterprise systems, having multiple layers of encryption is not critical. However, regarding government and defense systems, data must be protected from some of the most advanced forms of cyber threats.
Approved forms of FIPS 140 encryption must include authorized algorithms outlined in the FIPS 140 Approved Security Functions, including sufficiently complex AES and Triple-DES encryption.
What Are the FIPS 140-2 Security Levels?
FIPS 140-2 defines different cryptographic modules by “levels” at which they may apply to increasingly-complex security needs. Each level provides different kinds of protection, addressing increasingly complex security risks.
The four security levels are:
- Level 1: At this level, a cryptographic module has basic level security requirements. This includes at least one approved security algorithm or function without needing hardware or firmware encryption. This can consist of basic consumer-grade PCs and other devices.
- Level 2: Alongside Level 1, Level 2 requires that hardware has tamper-evident features (stickers, coatings, seals) that show hardware cryptographic keys. This also includes having physical security for rooms where encrypted devices reside, such as pick-resistant locks on doors in data centers or work offices.
- Level 3: Following Levels 1 and 2, Level 3 also requires mechanisms that can detect potential tampering of cryptographic keys. This can include hardware that can detect tampering and, upon detection, destroy hardware-stored cryptographic keys before they can be stolen.
- Level 4: Level 4 requires the highest levels of physical and environmental protections, where any evidence of attempted physical breach calls for immediate deletion of locally-stored keys.
It’s interesting to note that many of these security levels focus on physical security. As cryptographic security becomes more complex, it becomes harder to break, and more advanced encryption algorithms are almost impossible to break under most operating conditions. That being said, many hackers look for ways to circumvent this security not by brute-forcing encryption keys (which is nearly impossible) but by hacking into outside systems or accessing hardware to access decryption keys.
How hackers can accomplish this are pretty extensive. For example, a hacker may attempt to open a hardware enclosure to access local storage. Or, they may attempt to modulate voltage in a processor or motherboard to allow unauthorized access to adjacent memory registers.
More advanced FIPS security levels are structured to mitigate these threats.
What Are Some of the 140-2 Implementation Requirements?
These levels have further requirements that break down across a few critical categories to ensure security from multiple different angles.
Some of these requirements include:
- Physical Security: Stated above, increasingly secure physical enclosures and tamper-evident systems and self-sanitizing circuitry.
- Key Management: All levels require randomized key generation, secure key entry and output methods, secure storage, and self-sanitizing systems. At Levels 1 and 2, secret and private keys can be established through manual means in plaintext format. At Levels 3 and 4, key entry and output must be done through encrypted or split knowledge methods.
- Authentication: At Level 1, a cryptographic system must logically separate different roles and services. At Level 2, operators of the system must be delineated by role- or idea-based authentication. At Levels 3 and 4, operator authentication must be identity-based only.
- Ports and Interfaces: At levels 1 and 2, remote system access can be allowed through required and optional interfaces with proper specification and monitoring. At Levels 3 and 4, critical security ports must be physically or logically separated from other data ports.
Integrate FIPS-Compliance Encryption into Your Security Operation
FIPS encryption standards are a standard part of federal and defense security schemes. If you’re working in any areas where you, through requirements or optional adoption, work with NIST standards, you will almost certainly run into FIPS encryption standards.
As a complete risk and security management firm, Continuum GRC is experienced in NIST compliance, risk management, and comprehensive security assessments. We can help ensure that you use the right encryption and cryptographic modules, physical security measures, and technical safeguards to stay in line with your industry-specific regulatory needs.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.