Cryptography standard comment period ends

Tuesday, April 13, 2010 @ 05:04 PM gHale


A new revision of one the key computer security documents, a set of information processing standards governing the use of cryptographic modules by civilian federal agencies and government contractors is now back after public comment.

The document, the Revised Draft of Federal Information Processing Standards (FIPS) 140-3, released from the National Institute of Standards and Technology (NIST), updates the federal government’s guiding document for testing and validation of cryptographic modules, which are computers’ primary line of defense for confidential data. Each module receives a security level rating that depends on the amount of protection it provides.

The revised draft of FIPS 140-3 was available for public comment until March 11.

The update will be the third version of the original cryptography standards document, which first came about in 1995 as FIPS 140-1 and first updated in 2001.

With all that said, another update needs to get on the books because of the evolution of computing systems, how they do cryptography, as well as the evolution of attacks, said NIST computer security specialist William Burr.

“It used to be these modules were a dedicated separate device, protecting a single link between two points. But in the majority of cases nowadays you’re running a security program instead, on a general purpose computer— encrypting traffic over the Internet, connected by many links to different points,” Burr said. “We’re also now widely using cryptography on things like ID cards that are exposed to different kinds of attacks. We have to take these changes into account.”

The Revised Draft incorporates improvements made to a previous draft, released for public comment in July 2007. This new second-round draft differs from the 2007 document and the 2001 updated version (FIPS 140-2). Some of the Revised Draft’s key changes include:

While the 2007 draft proposed five levels of security, the Revised Draft reverts to the four levels currently specified in FIPS 140-2.

The Revised Draft also reintroduces a cryptographic module made with “firmware” (software only a manufacturer can alter) and defines the security requirements for it.

It removes the requirement for a manufacturer to provide a formal model of the cryptographic module and the details of its operation in order for it to attain the highest security level rating.

Requirements now exist at higher security levels for mitigating non-invasive attacks, which can find the keys to access a secure system not by analyzing encrypted data, but by measuring other operating characteristics, such as precise power consumption.

You can download PDF copies of the Revised Draft of FIPS 140-3 at http://edocket.access.gpo.gov/2009/pdf/E9-29567.pdf.



Leave a Reply

You must be logged in to post a comment.