FIPS testing finds lots of mistakes in crypto IT

FIPS testing finds lots of mistakes in crypto IT

About half of the cryptographic modules submitted for Federal Information Processing Standard validation have security flaws, a survey by the National Institute of Standards and Technology has found. Almost all evaluated products had documentation errors, said Annabelle Lee, director of NIST's Cryptographic Module Validation Program.

Speaking today at the Federal Information Assurance Conference at the University of Maryland, Lee cited the impact the FIPS validation program is having on cryptography vendors. She said 80 of 164 crypto modules submitted for evaluation had flaws involving physical security, random number generation or key management. Of 332 algorithms validated, 88, or about one-fourth, had security flaws, and about two-thirds had documentation errors.

Federal organizations must use FIPS-compliant crypto products for sensitive but unclassified data. FIPS 140-1 was the operative standard until it was replaced last year by FIPS 140-2. Since May, products can be evaluated only against 140-2.

Seven commercial laboratories in the United States, Canada and England are accredited to do the testing. NIST has simplified revalidation requirements to make it easier for 140-1-certified products to be certified under the new standard, Lee said. More than 260 validations have been issued for about 300 products from 60 companies.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.