TABLE OF CONTENTS


Introduction

The Federal Information Processing Standards (FIPS) publication 140-2 (FIPS PUB 140-2), which is commonly referred to as FIPS 140-2, is a collection of computer security standard set by US government for validating cryptographic modules. These set of security standards for implementing encryption and hashing are defined by National Institute of Standards and Technology (NIST) which is a non-regulatory government agency that develops all such kinds of technology standards and metrics in order to drive innovation and economic competitiveness in the organizations at United States. The Cryptographic Module Validation Program (CMVP), a joint effort of the NIST and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules to the Security Requirements for Cryptographic Modules standard (i.e., FIPS 140-2) and related FIPS cryptography standards. 

 

There are four available levels in the FIPS 140-2 program and “dash two” does not indicate level 2 validation. It simply refers to the second iteration of the encryption benchmark. Following is the brief description of what these levels refer to: 

 

 

Concept

VIDIZMO stands among the leading organizations that have secured Federal Information Processing Standard (FIPS) 140-2 validations as we have successfully implemented FIPS 140-2 validated algorithms, for Data and Content encryption within our enterprise and DEM products. We are dedicated in providing the assurance of information and complying with the standards for our products and services both in depth and in breadth. 

There is a setting in Windows that complies with the US government FIPS 140 standards. When it is enabled, it forces Windows to only use FIPS-validated cryptographic modules and advises applications to do so, as well.

 

FIPS 140-2 approved security functions used in VIDIZMO

Following is the list of the FIPS 140-2 approved security functions that have been implemented in VIDIZMO. The categories include transitions, symmetric key encryption and decryption, message authentication and hashing.

 

Symmetric Key Encryption and Decryption (AES)

 

1. Advanced Encryption Standard (AES)

 

Digital Signatures (DSA, RSA and ECDSA) 

 

1. Digital Signature Standard (DSS)

 

Secure Hash Standard (SHS) 

 

1. Secure Hash Standard (SHS) (SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)

 

SHA-3 Standard 


1. SHA-3 Hash Algorithms (SHA3-224, SHA3-256, SHA3-384, SHA3-512) 

2. SHA-3 Extendable-Output Functions (XOF) (SHAKE128, SHAKE256) 

3. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash


Message Authentication

 

1. Triple-DES

2. AES

3. HMAC

 

Implementation Scope in Application

 

FIPS 140-2 AlgorithmsVIDIZMO Affected Area
SHA-385Checksum Validation for File 
Native MD5Uploading on Azure Blob Storage
HMAC SHA-256Upload on AWS
HMAC SHA-256Live Chat with Azure Service Bus Configuration
Native MD5(Tamper Detection) 
Native MD5License Activation
Native MD5Cache Management
SHA-256Token Management

 


Potential Impact of Complying to FIPS 140-2

FIPS 140-2 validation is mandatory for use in federal government departments that collect, store, transfer, share and disseminate sensitive but unclassified (SBU) information. This applies to all federal agencies as well as their contractors and service providers, including networking and cloud service providers.

 

Anyone deploying systems into a U.S. federal SBU environment – and this includes cloud services – are required to comply with FIPS 140-2 certification. In other words, the encryption associated with the computer systems, solutions and services used by federal government agencies must meet the minimum standards specified in FIPS PUB 140-2. This has a huge impact on the IT procurement process, as the only solution vendors that can be considered (without obtaining a variance) are those that have had their products validated as being FIPS 140-2 compliant.

 

FIPS 140-2 has also become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. This standard is used extensively in many state and local government agencies as well as non-governmental industries, particularly manufacturing, healthcare, and financial services, or wherever there are federal regulations governing data security. Regulations in such industries may require FIPS 140-2 compliance.

 

Use – Case Scenario

Usage of FIPS compliant algorithms will eradicate the following issues that may result in the enterprise applications:

  1. Sensitive data exposure
  2. Key leakage
  3. Broken authentication
  4. Insecure session 
  5. Spoofing attack


FIPS accreditation validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. Once an IT product or solution has attained this accreditation, it can be deployed or operated by U.S. federal agencies and their contractors. This certification makes it easier for federal staff to deploy the product or solution because they won’t have to take additional steps to demonstrate the system is safe to operate. 

 

  1. Understanding Evidence Tamper Detection
  2. How to Detect if an Evidence has been Tampered