Why and How to Get Cryptographic Modules FIPS Validated

While the modern information and communication technologies brings us the convenience of working from home, e-banking, e-commerce, as well as many public services accessible online, it highly demands the protection of sensitive information. Among a variety of information security approaches to build the defense in depth, cryptography is at the foundation of all information security in terms of confidentiality, authentication, non-repudiation, and data integrity. As cryptography has become increasingly mathematical in nature, its design and implementation can be error-prone. It will be wise to use the NIST approved cryptographic algorithms and have their implementations tested under Cryptographic Algorithm Validation Program (CAVP). Even after algorithm implementations are tested, things can still go very wrong if the cryptographic sensitive parameters are not well protected or well generated to begin with. This is where the NIST Cryptographic Module Validation Program (CMVP) comes to the rescue. The cryptography that is not validated by CMVP is viewed by NIST as providing no protection to the information or data; in effect the data would be considered unprotected plaintext. The validation program against the open FIPS 140-2 standards provides the following benefits:

• Modules that have undergone the CMVP validation provide cryptographically sound protections over sensitive data.
• Modules that have achieved FIPS 140-2 certification differentiate themselves from competing products due to their assured quality through an independent third-party.
• Vendors who take up the challenge of having their products tested under an open standard demonstrate their commitment to security and their dedication to perfect their products, which in turn helps them to build up a good reputation and gain the customers’ trust.
• Due to the widely recognized merit of FIPS 140-2 certification, the standard itself is also evolving to be an international standard under ISO/IEC FDIS 19790. Vendors with the FIPS 140-2 validation experience are well positioned to quickly advance to meet the requirements from the international standard for cryptographic modules. This surely helps vendors to penetrate and gain the international market.

The validation effort can start with training on FIPS 140-2 and other cryptographic-based standards as early as the initial phase of module design. If planned properly, the modules that are constrained to a validation budget may consider achieving the certification in two steps. For a more detailed discussion on why and how to get cryptographic modules FIPS validated, please read this article.

by Yi Mao