What is FIPS 140-2, and what does it mean to be FIPS 140-2 compliant? In this article, we will go through the answers to both questions, including what it means to be certified and give you a list of FIPS 140-2 compliant algorithms.
FIPS 140-2, Federal Information Processing Standard, is a security standard issued by the U.S. government to validate cryptographic modules. For you to meet the requirements for FIPS 140-2 and get a certification, your product must adhere to the stated security standards, which come in four levels. The different levels range from basic security to impenetrable security that also protects against environmental conditions and tampering.
Level 1 provides the lowest level of security, requiring no further physical security mechanisms beyond production-grade components. An encryption board in a personal computer is one example of this security.
Level 2 improves the security a bit by requiring features that show evidence of any tampering. Examples include coatings, seals, or secure locks that work to prevent unauthorized physical access. These must be broken to get access to the plaintext cryptographic keys and critical security parameters, or CSPs.
Level 3 features the previous requirements but adds another layer of physical security mechanisms. Examples include tamper-proof circuitry that zeroes all plaintext CSPs when the physical module is tampered or breached.
Level 4 is the highest security level, suitable for confidential material in unsafe environments, with immediate detection and response to any unauthorized attempts of physical access. When a threat is recognized, it instantly deletes all plaintext CSPs, rendering the module encrypted. This high level of security also protects against fluctuations in environmental conditions, such as a change in temperature or voltage, which can be proof for someone trying to tamper with module defenses.
Being FIPS 140-2 compliant means that you adhere to the requirements set in the standard. Examples of companies who must adhere to FIPS 140-2 isn’t just the manufacturers of physical products. Private customer data is often in great need of security and usually requires FIPS 140-2 compliancy. For example, cloud servers need a certain level of protection as does software that holds critical information. Being compliant is not a guarantee for safety, as it's not validated. A FIPS 140-2 certification ensures that security.
After independent and thorough testing, one of 13 NIST-specified laboratories issue a FIPS 140-2 certification or validation if the product lives up to the security standards. The process takes weeks and sometimes needs redoing after failing. Getting a certification or validation can get expensive. Still, it gives you the ultimate proof that your product or service met strict security standards. By being FIPS 140-2 certified, you ensure both you and your customer's safety.
There are several FIPS 140-2 compliant algorithms, including the secure AES encryption format found in WinZip.
- AES, Triple-DES, Escrowed Encryption Standard
- DSA, RSA, ECDSA
- SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256
See Annex C.
- CCM, GCM, GMAC, CMAC, HMAC
For an in-depth look into the FIPS 140-2 compliant algorithms, see Annex A.
The FIPS 140-2 standards, ranging basic to high security, covers the necessary levels for a wide array of purposes. Today, you’ve learned what FIPS 140-2 is, how to be compliant, what certification means, and what the FIPS 140-2 compliant algorithms are.
If you are needing to securely share or store files on your computer, then WinZip is the software for you.