Crypto standard up for review
Federal Information Processing Standard 140-3 is open for review
The latest version of the Federal Information Processing Standard for cryptographic modules ' intended, among other things, to add protection for smart cards ' has been released for comment by the National Institute of Standards and Technology.
Comments on the FIPS 140-3 draft (GCN.com/812) are due by Oct. 11.
The current standard, FIPS 140-2, grew out of Federal Standard 1027, General Security Requirements for Equipment, which used the now-outdated Data Encryption Standard. FIPS 140-1 was issued in 1994 with a requirement that it be reviewed every five years. The review and revision process can take several years, and FIPS 140-2 was approved in 2001.
The third iteration contains the updates and clarifications that every maturing standard undergoes, but it also tackles a problem of growing concern: power analysis attacks, in which a hacker reads the power fluctuations in a working smart-card cryptographic module to crack its code.
Power analysis was a relatively new technique for cracking codes in single-chip processors when FIPS 140-2 was approved, said Stan Kladko, director of the FIPS validation lab at BKP Security Labs.
Today, though, 'this is one of the bread-and-butter attacks,' said Paul Kocher, president at Cryptography Research.
'We looked at this back when 140-2 was developed,' said Ray Snouffer, manager of NIST's security testing and metrics group. 'We understand it a little better now.'
Written comments may be sent to: Chief, Computer Security Division, Information Technology Laboratory, Attention: Dr. Allen Roginsky, 100 Bureau Drive - Stop 8930, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930. Electronic comments may be sent to: FIPS140firstname.lastname@example.org.
Comments will be published at http://csrc.nist.gov/cryptval/ 140-3htm.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.