Feature
News
7/26/2007
03:00 PM
Jordan Wiens
Jordan Wiens
Features
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Encryption Done Right

FIPS requirements lay out best practices for encryption, giving organizations a road map for compliance with various regulations. The upcoming 140-3 standard adds welcome detail. We run down the highlights.

Just because a vendor incorporates encryption into its products doesn't mean it's doing so securely. Fortunately, an upcoming federal standard introduces tighter key management and updates testing for software modules and physical protection, offering guidance for government agencies handling sensitive data and also providing a useful benchmark for the private sector.

THE LOWDOWN
THE PROMISE
The FIPS 140-3 encryption requirement, revealed July 13 in draft form, provides an important refresher for the long-established FIPS 140-2 standards for encryption modules. While FIPS is a requirement for sensitive but unclassified data at federal agencies, it's also a valuable metric for the private sector.

THE PLAYERS
NIST is responsible for publishing FIPS 140 through its Cryptographic Module Validation Program established jointly with the Canadian Communications Security Establishment, though public feedback does play a role in guiding the documents. The latest version of the Security Requirements for Cryptographic Modules, FIPS 140-3, is likely to be published by year's end.

THE PROSPECTS
FIPS 140-2 is a solid set of baselines for proper cryptography usage, and FIPS 140-3 is poised to bring some important changes to keep that foundation current with modern cryptographic attacks. If your company hasn't already done so, it's time to evaluate your encryption requirements and consider how FIPS 140 certification can align with those needs.
Security standards run the gamut from generalized frameworks to fairly precise, quantifiable measures. The current Federal Information Processing Standard 140-2, and the upcoming FIPS 140-3, fall into the precise group, specifying technical requirements for certifying cryptographic software and hardware modules. All four levels of compliance under FIPS 140-2 must use approved algorithms and modes for those algorithms, meet requirements for key management and certain power-up tests, and include appropriate documentation. Modules for certification are evaluated by one of 14 laboratories in the United States, Canada, the United Kingdom, and Germany.

The FIPS 140-3 revision is in a public draft phase that will end on Oct. 11. Changes in FIPS 140-3 include a new Level 5 top tier, clarified key management, relaxed power-up test requirements to support embedded devices, a new section devoted to software modules, and a new physical protection section, says Randall Easter, director of the Cryptographic Module Validation Program at the National Institute of Standards and Technology.

The physical protection section is noteworthy because it highlights how quickly security can change. In the six years since FIPS 140-2 was published, new attacks against physical encryption modules have been devised and refined. These attacks range from analyzing the level of power drawn to help in the guessing of keys to even more advanced approaches using lasers to induce and disrupt electrical currents.

Jordan Wiens is a network security engineer at the University of Florida and a contributing technology editor for InformationWeek. Write to him at jwiens@nwc.com.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.