FIPS testing finds lots of mistakes in crypto IT

FIPS testing finds lots of mistakes in crypto IT

About half of the cryptographic modules submitted for Federal Information Processing Standard validation have security flaws, a survey by the National Institute of Standards and Technology has found. Almost all evaluated products had documentation errors, said Annabelle Lee, director of NIST's Cryptographic Module Validation Program.

Speaking today at the Federal Information Assurance Conference at the University of Maryland, Lee cited the impact the FIPS validation program is having on cryptography vendors. She said 80 of 164 crypto modules submitted for evaluation had flaws involving physical security, random number generation or key management. Of 332 algorithms validated, 88, or about one-fourth, had security flaws, and about two-thirds had documentation errors.

Federal organizations must use FIPS-compliant crypto products for sensitive but unclassified data. FIPS 140-1 was the operative standard until it was replaced last year by FIPS 140-2. Since May, products can be evaluated only against 140-2.

Seven commercial laboratories in the United States, Canada and England are accredited to do the testing. NIST has simplified revalidation requirements to make it easier for 140-1-certified products to be certified under the new standard, Lee said. More than 260 validations have been issued for about 300 products from 60 companies.

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected