Overview

The Federal Information Processing Standards (FIPS) publication 140-2 (FIPS PUB 140-2), commonly referred to as FIPS 140-2, is a collection of computer security standards set by the US government for validating cryptographic modules. These set of security standards for implementing encryption and hashing are defined by the National Institute of Standards and Technology (NIST), which is a non-regulatory government agency that develops all such kinds of technology standards and metrics in order to drive innovation and economic competitiveness in the organizations at the United States. 

The Cryptographic Module Validation Program (CMVP), a joint effort of the NIST and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules to the Security Requirements for Cryptographic Modules standard (i.e., FIPS 140-2) and related FIPS cryptography standards. 

 

FIPS 140-2 is the standard that contains four levels of security. Level 1 is the least secure, while Level 4 is the most secure level. “Dash two” does not indicate level 2 validation. It simply refers to the second iteration of the encryption benchmark. Following is a brief description of what these levels refer to: 

 

 

Concept

VIDIZMO stands among the leading organizations that have secured Federal Information Processing Standard (FIPS) 140-2 validations as we have successfully implemented FIPS 140-2 validated algorithms, for Data and Content encryption within both our EVCM and DEMS products. We are dedicated to prove the assurance of information and complying with these standards for our products and services both in depth and breadth. 

 

FIPS 140-2 approved security functions used in VIDIZMO

Following is the list of the FIPS 140-2 approved security functions that have been implemented in VIDIZMO (the categories include transitions, symmetric key encryption and decryption, message authentication and hashing).

 

Symmetric Key Encryption and Decryption (AES)

 

1. Advanced Encryption Standard (AES)

 

Digital Signatures (DSA, RSA and ECDSA) 

 

1. Digital Signature Standard (DSS)

 

Secure Hash Standard (SHS) 

 

1. Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)

 

SHA-3 Standard 


1. SHA-3 Hash Algorithms (SHA3-224, SHA3-256, SHA3-384, SHA3-512) 

2. SHA-3 Extendable-Output Functions (XOF) (SHAKE128, SHAKE256) 

3. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash


Message Authentication

 

1. Triple-DES

2. AES

3. HMAC

 

Implementation Scope in Application

 

FIPS 140-2 AlgorithmsVIDIZMO Affected Area
SHA-385Checksum Validation for File 
Native MD5Uploading on Azure Blob Storage
HMAC SHA-256Upload on AWS
HMAC SHA-256Live Chat with Azure Service Bus Configuration
Native MD5(Tamper Detection) 
Native MD5License Activation
Native MD5Cache Management
SHA-256Token Management

 


Potential Impact of Complying to FIPS 140-2

FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers.

 

Anyone deploying systems into a U.S federal SBU environment – including cloud services – must comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2. 


This has a massive impact on the IT procurement process; the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.

 

FIPS 140-2 has also become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare, and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.


Use – Case Scenario

Usage of FIPS-compliant algorithms will eradicate the following issues that may result in the enterprise applications:

  1. Sensitive data exposure
  2. Key leakage
  3. Broken authentication
  4. Insecure session 
  5. Spoofing attack


FIPS accreditation validates that an encryption solution meets specific requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. Once an IT product or solution has attained this accreditation, it can be deployed or operated by U.S federal agencies and their contractors. This certification makes it easier for national staff to deploy the product or solution because they won’t have to take additional steps to demonstrate the system is safe to operate. 

 

Contributions were made by Sidra Jabeen & Hafsa Qamar. 


Read Next

Understanding Content Encryption in VIDIZMO