The National Institute of Standards and Technology (NIST) has released for public comment a new revision of one of its key computer security documents, a set of information processing standards governing the use of cryptographic modules by civilian federal agencies and government contractors.
The NIST document, the Revised Draft of Federal Information Processing Standards (FIPS) 140-3, updates the federal government's guiding document for testing and validation of cryptographic modules, which are computers' primary line of defense for confidential data. Each module receives a security level rating that depends on the amount of protection it provides. The revised draft of FIPS 140-3 will be available for public comment until March 11, 2010.
When completed, the update will be the third version of the original cryptography standards document, which was created in 1995 as FIPS 140-1 and first updated in 2001. NIST's William Burr says that another update is needed because of the evolution of computing systems, how they do cryptography, as well as the evolution of attacks. "It used to be these modules were a dedicated separate device, protecting a single link between two points. But in the majority of cases nowadays you're running a security program instead, on a general purpose computer— encrypting traffic over the Internet, connected by many links to different points," says Burr, a computer security specialist. "We're also now widely using cryptography on things like ID cards that are exposed to different kinds of attacks. We have to take these changes into account."
The Revised Draft incorporates improvements made to a previous draft, which was released for public comment in July 2007. This new second-round draft differs from both the 2007 document and the 2001 updated version (FIPS 140-2). Some of the Revised Draft's key changes include:
- While the 2007 draft proposed five levels of security, the Revised Draft reverts to the four levels currently specified in FIPS 140-2.
- The Revised Draft also reintroduces the notion of a cryptographic module made with "firmware" (software only a manufacturer can alter) and defines the security requirements for it.
- It removes the requirement for a manufacturer to provide a formal model of the cryptographic module and the details of its operation in order for it to attain the highest security level rating.
- Requirements now exist at higher security levels for mitigating non-invasive attacks, which can find the keys to access a secure system not by analyzing encrypted data, but by measuring other operating characteristics, such as precise power consumption.
For more information, including details on how to comment on the Revised Draft, visit http://csrc.nist.gov/news_events/index.html#dec11.
* PDF copies of the Revised Draft of FIPS 140-3 can be downloaded from http://edocket.access.gpo.gov/2009/pdf/E9-29567.pdf.