| Q. |
What is FIPS 140? |
| A. |
Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor FIPS 140-2 are U.S. government standards that provide a benchmark for implementing cryptographic software. They specify best practices for implementing crypto algorithms, handling key material and data buffers, and working with the operating system. |
| |
| Q. |
Who administers the FIPS 140 evaluation process |
| A. |
Evaluation is administered by the Cryptographic Module Validation (CMV) Program of the National Institute of Standards and Technology's (NIST) in the United States and the Communications Security Establishment (CSE) in Canada. The CMV program was established in July of 1995. All of the tests under the CMV program are handled by third-party accredited laboratories. |
| |
| Q. |
What is the difference between FIPS 140-1 and FIPS 140-2? |
| A. |
FIPS 140-1, defining the security requirements for cryptographic modules, went into effect on January 4, 1994. These requirements were updated in 2001, and the FIPS 140-2 standard was published. In May of 2002, NIST CMV started accepting validation test reports for cryptographic modules against FIPS 140-2 only. However, according to the CMV program web page, “agencies may continue to purchase, retain and use FIPS 140-1 validated products after May 25, 2002.”
FIPS 140-2 specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. |
| |
| Q. |
What are the different levels (level 1, 2, 3 and 4) of FIPS 140 validation? |
| A. |
Within most areas, a cryptographic module receives a security level rate (1-4, from lowest to highest), depending on what requirements are met. For other areas that do not provide for different levels of security, a cryptographic module receives a rating that reflects fulfillment of all the requirements for that area.
Level 1 restricts the machine that the module runs on to operating in single-user mode. This means that no more than a single user may be active on the machine at any point in time. This is okay for machines running client software, but it makes no sense for SSH server software.
Level 2 certification is noticeably harder to get. The difficulty is not with the crypto module code per se, but rather with formalities and the fact that level 2 modules must run on validated hardware under validated operating systems. F-Secure was the first SSH vendor to receive FIPS 140-2 level 2 validation. (F-Secure SSH has been renamed Reflection for Secure IT.)
Levels 3 and 4 have physical protection requirements that are for hardware systems and are not applicable to software. |
| |
| Q. |
What are the requirements for getting a FIPS 140 validation? |
| A. |
Security requirements cover 11 areas relatied to the design and implementation of a cryptographic module, including operating system security, software security, key management, cryptographic algorithms, and self testing. |
| |
| Q. |
What does FIPS 140 validation mean? |
| A. |
FIPS 140 validation is an additional proof done by a third party that shows a security software implementation to be of the highest quality and standards. This validation sets Reflection for Secure IT apart from, for instance, open source software, which is not validated. |
| |
| Q. |
What does FIPS 140 validation mean to the U.S. government? |
| A. |
FIPS 140-1 and FIPS 140-2 are two of a series of Federal Information Processing Standards Publications (FIPS PUBS) that have been issued by the U.S. government; FIPS PUBS are created by NIST (usually after a public comment period) and are issued after official approval by the U.S. Secretary of Commerce. FIPS PUBS are binding on U.S. government agencies (unless they are otherwise exempted from compliance), and products sold to the U.S. government often must comply with one or more of the FIPS PUBS standards. |
| |
| Q. |
What does FIPS 140 validation mean to nongovernmental organizations? |
| A. |
FIPS PUBS are not binding standards on individuals and organizations not associated with the U.S. government. However, many companies that do business with the U.S. government adopt FIPS PUBS standards for their own use. This may be because of contractual requirements or government regulations or simply because the companies decide that certain FIPS PUBS have value as standards for internal use. And the security community at large values products that have completed this evaluation, as it carries the blessing of an independent third party. |
| |
| Q. |
What FIPS validations does Reflection for Secure IT have? |
| A. |
Reflection for Secure IT has both FIPS 140-1 level 1 and FIPS 140-2 level 2 validations. |
| |
| Q. |
Where can I see the FIPS validations for Reflection for Secure IT? |
| A. |
When choosing data security or cryptography-related products, users in the U.S. and Canadian federal governments are advised by NIST/CSE to refer to the FIPS 140-1 and FIPS 140-2 validation list. (see http://csrc.nist.gov/cryptval) |
| |
| Q. |
Which Reflection for Secure IT products are or will be FIPS-140 validated? |
| A. |
Technically speaking, it is the cryptographic libraries used by Reflection for Secure IT products, not the products themselves, that are validated. Reflection for Secure IT, Windows server and UNIX client and server are using the FIPS-140 validated cryptographic libraries, and the products will operate in FIPS 140 mode (restrict the available algorithms to FIPS140-approved algorithms). |
| |