FIPS-140 gains international acceptance

FIPS-140 gains international acceptance

SAN FRANCISCO'The Federal Information Processing Standard for cryptographic modules, FIPS-140, has become the de facto international standard for cryptography, with 300 products validated by independent laboratories.

It is moving toward becoming an official international standard as well. In October, the International Standards Organization began considering a proposal to make FIPS-140-2 an international standard, and Britain in November accepted it as the standard for protecting personal information submitted to the government.

An ISO working group addressing the crypto standard will hold its first meeting next week in Quebec, said Annabelle Lee, director of the Cryptographic Module Validation Program for the National Institute of Standards and Technology, today at the RSA 2003 Security Conference.

NIST and its Canadian equivalent, the Communications Security Establishment, jointly run the validation program, which certifies product compliance with FIPS-140-2.

'I have heard that many states are recognizing FIPS-140," said Ray Snouffer, manager of NIST's Security Management and Testing Group. The standard is also required by many private-sector organizations, including banks in Europe and U.S. companies such as Visa International Service Association and Boeing Co. But the United Kingdom is the first country other than the United States to adopt the standard.

Andrew Veal, IT security engineer for England's Communications and Electronics Security Group, said the country turned to FIPS-140-2 when it set the ambitious goal of putting government services online by 2005. His group felt that British security standards for classified material were not appropriate to protect the private information citizens would be using online and selected FIPS-140-2 because it was in common use for protecting sensitive but unclassified data.

NIST developed FIPS-140-2 with an eye toward it becoming an international standard, Lee said. NIST removed government-specific language. Even so, it probably will be years before the standard becomes widely used internationally, Lee said. "It is not a fast process.'

Snouffer said one of the benefits of the standard is how many problems in products are corrected during the validation process. He said 20 percent of products have security flaws when they enter the process, and 30 percent of crypto algorithms are implemented incorrectly.

'These are modules that are considered ready for the market by the vendors," he said.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.