Developers say FIPS 140-2, WiFi security are big hurdles
- By Susan M. Menke
- Jan 25, 2005
Developers at a recent encryption conference in Toronto said their toughest job is plugging security holes in their products to meet the encryption requirements of Federal Information Processing Standard 140-2.
The conference, sponsored by elliptical-curve cryptography vendor Certicom Corp. of Mississauga, Ont., drew 60 top systems integrators and middleware vendors from around the world, who were subsequently surveyed about their concerns.
'FIPS 140-2 compliance is difficult and time-consuming,' Certicom's Brendan Ziolo said. 'A surprising number of implementations fail, and the testing can take eight to 12 months.' About 30 percent of new crypto modules do not pass the FIPS 140-2 tests, designed by the National Institute of Standards and Technology, he said, and about 20 percent of returning modules still have security flaws.
Another hurdle is wireless security. 'A lot of middleware developers are looking to extend their applications to wireless, but the Wired Equivalent Privacy algorithm was broken very quickly, and no real standard has replaced it,' Ziolo said.
In the survey, developers ranked fast, efficient performance as the top criterion for organizations trying to strengthen encryption security. Other important concerns are quality of the chosen algorithm and access to the source code, they said.
Sixty percent of the respondents said they use open-source and other publicly available algorithms during product development; 40 percent continue to use it in their production systems.