Data protection using controller-based encryption solution (2)

Data protection using controller-based encryption solution (2) FIPS 140-2 verification level and requirements

The first blog in this encryption series explains controller-based encryption (CBE) and outlines the FIPS verification process. Let's take a look at the Federal Information Processing Standards 140 (FIPS 140-2, Federal Information Processing Standards) verification level and requirements.

FIPS 140-2 verification level

There are eleven fields related to the design and implementation of the encryption module. The security level of each field can be divided into 1 (lowest) to 4 (highest.

The encryption module also has a general security rating, which is the minimum value of the security rating obtained from the eleven independent fields.

The overall rating of the encryption module is not necessarily the most important indicator of the rating, which cannot be ignored. According to the use environment of the encryption module, the rating of a specific field may be more important to users than the total rating.

When determining the applicable rating of a product, consider the following:

1. Customer/end user requirements:What is the customer's rating? Many end users only need FIPS 140-2 level verification, but some organizations have stricter requirements.

2. Competitive environment:If the competitor's verification level is Level 2, Level 1 verification is not suitable. On the contrary, a third-level verification may bring about a competitive advantage.

3. Product design:Sometimes, product features or features may make it unable to meet high-level testing requirements. For example, if the encryption module does not support identity-based authentication, it will not be able to perform Level 3 tests on roles, services, and authentication, so it will not be able to obtain the overall Level 3 rating.

4. Cost and time:In general, the higher the verification level, the more cost and time required to pass the verification process.

FIPS 140-2 security requirements

The following table lists the four verification-level security requirements involved in 11 design and implementation areas.

Category	Level 1	Level 2	Level 3	Level 4
Password module	Password module, border, approved security functions		FIPS running mode
Port and interface	Interface Definition		Logically separate data channels
Roles, businesses, and certifications	No authentication	Role-based authentication	ID-based authentication
FSM	Determines the running status
Physical security	Mass production level	Tampered evidence	Tampering response	EFP/EFT
Running environment	Single User	EAL operating system	E_3 OS	EAL4 OS
Core Management	Plaintext manual input		Encrypted manual input
EMI/EMC	FCC Class		FCC Class B
Self-test	Power-on and condition tests
Design Assurance	CM system	Security dist.	Advanced lang.	Advanced lang.
Mitigate other attacks	Threats beyond the scope of requirements

The last article in this series will provide some useful tips for readers who are interested in submitting an encryption module set for FIPS verification.

 

Data protection using controller-based encryption solution (2)