News regarding security breaches is broadcast almost every day. Unfortunately, it is now likely an unauthorized entity will gain access to an organization’s data. The Federal Information Processing Standards Publication 140-2 (FIPS 140-2) is a US Government Standard with a goal addressing such a security vulnerability and rendering proprietary data unusable should an unauthorized individual or entity get physical access to an organization’s computing hardware.
The FIPS 140-2 standard entitled “Security Requirements for Cryptographic Modules” specifies the security requirements for a cryptographic module utilized within a security system for protecting sensitive information. FIPS was initially developed for the US government and private entities engaged in dealings with the government, companies have now embraced FIPS 140-2 and are beginning to embrace FIPS 140-3 as information security standards.
A cryptographic module is any combination of computer hardware, firmware or software that encrypts or decrypts data, applies a digital signature, applies a variety of authentication techniques, and/or uses random number generation. In simplest terms, it prevents unauthorized parties from being able to use sensitive data even if they get access to it.
The FIPS 140-2 standard has 4 levels, each level being a superset of a lower level and providing increasing security for proprietary data:
- Level 1 is the lowest FIPS 140-2 security level requiring at least one approved algorithm or security function to be used, such as data encryption, when sensitive data resides on a computer. Production grade closure with removable cover is acceptable.
- Level 2 augments data encryption by adding the requirement of physical tamper-evidence capabilities such as coatings, seals, and lock for the networking system. Requires additional of tamper evident seals on chassis and tamper evident coating on cryptographic module intelligence.
- Level 3 supplements Level 2 capabilities by preventing a malicious source from gaining access to critical security parameters (CSPs) e.g., secret and private cryptographic keys, and authentication data such as passwords and PINs by zeroing CSPs in the case of unauthorized physical access to the computing device. Hardware must be significantly hardened to prevent and detect malicious entry.
- Level 4 is the highest level of FIPs 140-2 security and provides a comprehensive detection ‘envelope’ for all cryptographic modules with the goal of preventing, discovering, and countering all unsanctioned efforts at physical access.
FIPS 140-2 Level 3: Enabling Secure Management of Encryption Keys
Government agencies and enterprises that deal with storage and sharing of sensitive data require FIPS 140-2 compliant network and security solutions. And, agencies and businesses that want to assure the security of their sensitive data should be particularly focused on safeguarding their cryptographic keys, so they remain secure; such entities need FIPS 140-2 level 3.
Beyond the tamper-evident physical security features called for in FIPS 140-2 level 2, level 3 prevents malicious entities from gaining access to critical security parameters (CSP)s stored in the cryptographic module. Level 3 physical security features are meant to have a high likelihood of discovering and countering attempts at unauthorized physical access, use or modification of the cryptographic module. The physical security features may comprise the use of robust enclosures and tamper discovery and response features which reset all plaintext CSPs to zeros if the covers or doors of the cryptographic module are unsealed.
FIPS 140-2 level 3 requires identity-based authentication mechanisms involving authentication of the identity of an operator and verifying that the identified operator is authorized to assume a specific role and perform a corresponding set of services. For example, using identity-based authentication, the cryptographic device will allow authorized operators to open the seals and access the keys, but only after successfully authenticating.
Hardware Security Module (HSM) for FIPS 140-2 Level 3 Compliance
A hardware security module, or HSM, is a dedicated, FIPS 140-2 standards-compliant cryptographic device designed to protect sensitive data in transit, in use, and at rest through the use of physical security measures, logical security controls, and strong encryption.
Interface Masters Technologies: Embedded Appliances Enabling Inherent Threat Defense
Interface Masters embedded appliances support both FIPS 140-2 Level 2 and FIPS 140-2 Level 3 designs. Interface Masters’ HSM-enabled embedded appliances protect key storage utilizing tamper-evident capabilities and other physical security capabilities while meeting ever-greater encryption/decryption performance requirements, simplifying certificate management, and reducing compliance costs.
Interface Masters Technologies has for over 20 years been providing off-the-shelf innovative network security solutions with customization services to OEMs, Fortune 100, and startup companies. Our headquarters are located in San Jose, California in the heart of Silicon Valley where we are proud to design and manufacture all of our products. Based on MIPS, ARM, PowerPC and x86 processors, Interface Masters appliance models enable OEMs to significantly reduce time-to-market with reliable, pre-tested and pre-integrated networking solutions that can meet the most challenging security requirements.