Status of federal encryption standard gains increasing acceptance

With security concerns about compromised accounts, phishing and fraud increasing rapidly, more enterprise organizations recognize the risks and are working to improve security controls.

Born out of efforts by the U.S. National Institute of Standards and Technology (NIST ) and Canada's Communications Security Establishment to protect government IT systems, the Federal Information Processing Standard (FIPS) 140-2 encryption standard is gaining increasing acceptance in security-sensitive corporations. FIPS 140-2 also is the basis of ANSI X9.66, a draft standard for financial institutions.

FIPS 140-2 provides a third-party-verified security standard with a federal-government heritage that ensures corporations' data security and can help them meet the IT-compliance requirements of the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and other federal mandates.

The FIPS 140-2 standard pertains to sensitive but unclassified information. It specifies four levels of encryption and security that depend on data sensitivity (for example, low-value administrative, million-dollar transaction or life-protecting data) and diversity of application environments (for example, a guarded facility, an office or a completely unprotected location). Each level offers an increase in security over the preceding level. Together, the four levels of security allow cost-effective solutions that are appropriate for different degrees of data sensitivity and different environments.

Level 1 is the lowest FIPS 140-2 security level. Examples of products that use Level 1 security are PC encryption and software that runs on a PC and supports a single user. For Level 2, cryptographic modules must run on validated hardware under validated operating systems and provide evidence of tampering and role-based authentication. Levels 3 and 4 have additional protection requirements, such as identity-based authentication, additional physical- security mechanisms to prevent an intruder from gaining access to critical security parameters and environmental monitoring to ensure the integrity of the cryptographic module in conditions outside the normal operating range of the equipment.

Compliant encryption products usually allow the secure FIPS mode to be selectively enabled. While many FIPS-required changes are invisible to users, others will be very visible. For example, when FIPS is enabled on a console server, many less-secure features, protocols and encryption support are disabled and higher-security options are set. Typical changes include disabling applications, such as telnet, rlogin or Lightweight Directory Access Protocol, that use plain-text passwords; requiring passwords to be more than six characters; and setting strict limits and restrictions on operating system access - for example, to a Linux shell.

FIPS 140-2-certified products go through a detailed review and testing, including direct code review, by a NIST-approved agency to ensure the trustworthiness of the implementation's cryptographic algorithms, loading methods, operating systems, documentation, operating software and hardware.