FIPS testing finds numerous crypto errors
About half of the cryptographic modules submitted for Federal Information Processing Standard validation have security flaws, a National Institute of Standards and Technology survey has found.
Almost all the evaluated products had documentation errors, said Annabelle Lee, director of NIST's Cryptographic Module Validation Program. Speaking recently at the Federal Information Assurance Conference at the University of Maryland, Lee said 80 of 164 crypto modules evaluated had flaws involving physical security, random number generation or key management. Of 332 algorithms validated, 88 had security flaws, and about two-thirds had documentation errors.
Federal organizations are required to use FIPS-compliant crypto products for sensitive but unclassified data.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.