[FDE] How important is FIPS 140-2 Level 1 cert?
Mike Markowitz
markowitz at infoseccorp.com
Wed Jan 3 14:00:40 MST 2007
John Bourgein wrote:
>There is almost no interest in FIPS 140-1 but great interest in FIPS 140-2
>at least on the part of the Federal government.
Just to set the record straight:
- although 140-2 is currently in effect, federal "agencies may
continue to purchase, retain
and use 140-1 validated modules"; modules tested under 140-1 are
still regarded as
meeting exactly the same regulatory requirements as those tested
under 140-2;
see http://csrc.nist.gov/cryptval/
- there are virtually no differences between the sets of hard
requirements that a module must
satisfy for certification at level 1 (e.g., software) under the
two standards; for the
most part, 140-2 simply increased the amount of required internal
documentation;
for details, see
http://csrc.nist.gov/publications/nistpubs/800-29/sp800-29.pdf
- module validation certificates, whether under 140-1 or 140-2, NEVER expire
- according to NIST CMVP guidelines, modules tested under 140-1 need
not, and in fact
CANNOT, be re-tested under 140-2 unless they have undergone some
potential security-
impacting modification; unchanged modules do not need to be
re-evaluated under a
successor standard (FAQ: "... modules DO NOT require revalidation
solely because the
standard to which they were originally validated against is
superseded by a new standard.")
All these issues are carefully discussed in the NIST CMVP FAQ
http://csrc.nist.gov/cryptval/140-1/CMVPFAQ.pdf
but are widely misunderstood or totally overlooked. So unfortunately,
myths such as
"there is almost no interest in FIPS 140-1" continue to propagate.
Hopefully any fanfare associated with the imminent release of the
140-3 draft will help
people realize that each iteration of this beast doesn't "invalidate"
the previous one.
-mjm
More information about the FDE
mailing list