Data protection using controller-based encryption solution (2) FIPS 140-2 verification level and requirements
The first blog in this encryption series explains controller-based encryption (CBE) and outlines the FIPS verification process. Let's take a look at the Federal Information Processing Standards 140 (FIPS 140-2, Federal Information Processing Standards) verification level and requirements.
FIPS 140-2 verification level
There are eleven fields related to the design and implementation of the encryption module. The security level of each field can be divided into 1 (lowest) to 4 (highest.
The encryption module also has a general security rating, which is the minimum value of the security rating obtained from the eleven independent fields.
The overall rating of the encryption module is not necessarily the most important indicator of the rating, which cannot be ignored. According to the use environment of the encryption module, the rating of a specific field may be more important to users than the total rating.
When determining the applicable rating of a product, consider the following:
1. Customer/end user requirements:What is the customer's rating? Many end users only need FIPS 140-2 level verification, but some organizations have stricter requirements.
2. Competitive environment:If the competitor's verification level is Level 2, Level 1 verification is not suitable. On the contrary, a third-level verification may bring about a competitive advantage.
3. Product design:Sometimes, product features or features may make it unable to meet high-level testing requirements. For example, if the encryption module does not support identity-based authentication, it will not be able to perform Level 3 tests on roles, services, and authentication, so it will not be able to obtain the overall Level 3 rating.
4. Cost and time:In general, the higher the verification level, the more cost and time required to pass the verification process.
FIPS 140-2 security requirements
The following table lists the four verification-level security requirements involved in 11 design and implementation areas.
Category |
Level 1 |
Level 2 |
Level 3 |
Level 4 |
Password module |
Password module, border, approved security functions |
FIPS running mode |
Port and interface |
Interface Definition |
Logically separate data channels |
Roles, businesses, and certifications |
No authentication |
Role-based authentication |
ID-based authentication |
FSM |
Determines the running status |
Physical security |
Mass production level |
Tampered evidence |
Tampering response |
EFP/EFT |
Running environment |
Single User |
EAL operating system |
E_3 OS |
EAL4 OS |
Core Management |
Plaintext manual input |
Encrypted manual input |
EMI/EMC |
FCC Class |
FCC Class B |
Self-test |
Power-on and condition tests |
Design Assurance |
CM system |
Security dist. |
Advanced lang. |
Advanced lang. |
Mitigate other attacks |
Threats beyond the scope of requirements |
The last article in this series will provide some useful tips for readers who are interested in submitting an encryption module set for FIPS verification.
Data protection using controller-based encryption solution (2)