FIPS 140-2 now gets international respect
- By William Jackson
- Jul 10, 2003
The Federal Information Processing Standard for cryptographic modules, FIPS-140, has become a de facto international standard, with about 300 products validated by independent laboratories.
It also is moving toward official status around the world. In late 2002, the International Standards Organization began considering FIPS 140-2, and the United Kingdom chose it to protect personal data submitted to that government.
An ISO group is now studying the crypto standard, said Annabelle Lee, director of the Cryptographic Module Validation Program at the National Institute of Standards and Technology. She spoke at the recent RSA 2003 security conference in San Francisco.
NIST and its Canadian equivalent, the Communications Security Establishment, jointly run the validation program for products compliant with FIPS 140-2.
'I've heard that many states are recognizing it,' said Ray Snouffer, manager of NIST's security management and testing group. Some private-sector organizations also recognize it, he said, including European banks and U.S. companies such as Visa International and Boeing Co.
Andrew Veal, IT security engineer for the British government's Communications and Electronics Security Group, said it turned to FIPS 140-2 to meet the ambitious goal of putting government services online by 2005.
Veal said the group felt that British classified security standards were inappropriate for protecting individuals' private information. The CESG chose FIPS 140-2 because it was in common use for sensitive but unclassified data, he said.
NIST developed FIPS 140-2 without government-specific language, which would have discouraged international adoption, Lee said. But it probably will be years before the standard is widely used, she said, because that 'is not a fast process.'
Snouffer said 20 percent of products that enter FIPS testing still have security flaws, and 30 percent of crypto algorithms are implemented incorrectly.
'These are modules that are considered ready for the market by the vendors,' he said.
William Jackson is freelance writer and the author of the CyberEye blog.