Just because a vendor incorporates encryption into its products doesn't mean it's doing so securely. Fortunately, an upcoming federal standard introduces tighter key management and updates testing for software modules and physical protection, offering guidance for government agencies handling sensitive data and also providing a useful benchmark for the private sector.
The FIPS 140-3 revision is in a public draft phase that will end on Oct. 11. Changes in FIPS 140-3 include a new Level 5 top tier, clarified key management, relaxed power-up test requirements to support embedded devices, a new section devoted to software modules, and a new physical protection section, says Randall Easter, director of the Cryptographic Module Validation Program at the National Institute of Standards and Technology.
The physical protection section is noteworthy because it highlights how quickly security can change. In the six years since FIPS 140-2 was published, new attacks against physical encryption modules have been devised and refined. These attacks range from analyzing the level of power drawn to help in the guessing of keys to even more advanced approaches using lasers to induce and disrupt electrical currents.
Jordan Wiens is a network security engineer at the University of Florida and a contributing technology editor for InformationWeek. Write to him at firstname.lastname@example.org.