Overview
The Federal Information Processing Standards (FIPS) publication 140-2 (FIPS PUB 140-2), commonly referred to as FIPS 140-2, is a collection of computer security standards set by the US government for validating cryptographic modules. These set of security standards for implementing encryption and hashing are defined by the National Institute of Standards and Technology (NIST), which is a non-regulatory government agency that develops all such kinds of technology standards and metrics in order to drive innovation and economic competitiveness in the organizations at the United States.
The Cryptographic Module Validation Program (CMVP), a joint effort of the NIST and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules to the Security Requirements for Cryptographic Modules standard (i.e., FIPS 140-2) and related FIPS cryptography standards.
FIPS 140-2 is the standard that contains four levels of security. Level 1 is the least secure, while Level 4 is the most secure level. “Dash two” does not indicate level 2 validation. It simply refers to the second iteration of the encryption benchmark. Following is a brief description of what these levels refer to:
Concept
VIDIZMO stands among the leading organizations that have secured Federal Information Processing Standard (FIPS) 140-2 validations as we have successfully implemented FIPS 140-2 validated algorithms, for Data and Content encryption within both our EVCM and DEMS products. We are dedicated to prove the assurance of information and complying with these standards for our products and services both in depth and breadth.
FIPS 140-2 approved security functions used in VIDIZMO
Following is the list of the FIPS 140-2 approved security functions that have been implemented in VIDIZMO (the categories include transitions, symmetric key encryption and decryption, message authentication and hashing).
Symmetric Key Encryption and Decryption (AES)
1. Advanced Encryption Standard (AES)
Digital Signatures (DSA, RSA and ECDSA)
1. Digital Signature Standard (DSS)
Secure Hash Standard (SHS)
1. Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
SHA-3 Standard
1. SHA-3 Hash Algorithms (SHA3-224, SHA3-256, SHA3-384, SHA3-512)
2. SHA-3 Extendable-Output Functions (XOF) (SHAKE128, SHAKE256)
3. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
Message Authentication
1. Triple-DES
2. AES
3. HMAC
Implementation Scope in Application
FIPS 140-2 Algorithms | VIDIZMO Affected Area |
SHA-385 | Checksum Validation for File |
Native MD5 | Uploading on Azure Blob Storage |
HMAC SHA-256 | Upload on AWS |
HMAC SHA-256 | Live Chat with Azure Service Bus Configuration |
Native MD5 | (Tamper Detection) |
Native MD5 | License Activation |
Native MD5 | Cache Management |
SHA-256 | Token Management |
Potential Impact of Complying to FIPS 140-2
FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers.
Anyone deploying systems into a U.S federal SBU environment – including cloud services – must comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2.
This has a massive impact on the IT procurement process; the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.
FIPS 140-2 has also become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare, and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.
Use – Case Scenario
Usage of FIPS-compliant algorithms will eradicate the following issues that may result in the enterprise applications:
- Sensitive data exposure
- Key leakage
- Broken authentication
- Insecure session
- Spoofing attack
FIPS accreditation validates that an encryption solution meets specific requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. Once an IT product or solution has attained this accreditation, it can be deployed or operated by U.S federal agencies and their contractors. This certification makes it easier for national staff to deploy the product or solution because they won’t have to take additional steps to demonstrate the system is safe to operate.