A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2
Stanley R. Snouffer, Arch Oldehoeft
Federal agencies, industry, and the public now rely on cryptography to protect information and communications used in critical infrastructures, electronic commerce, and other application areas. Cryptographic modules are implemented in these products and systems to provide cryptographic services such as confidentiality, integrity, non-repudiation and identification and authentication. A documented methodology for conformance testing through a defined set of security requirements in FIPS 140-1 and FIPS 140-2 and other cryptographic standards is specified in the Derived Test Requirements.FIPS 140-1 is one of NIST's most successful standards and forms the very foundation of the Cryptographic Module Validation Program. FIPS 140-2 addresses lessons learned from questions and comments and reflects changes in technology. The standard was strengthened, but not changed in focus or emphasis. Also, the standard was minimally restructured to:- Standardize the language and terminology to add clarity and consistency,- Remove redundant and extraneous information to make the standard more concise, and- Revise or remove vague requirements.Finally, a new section was added detailing new types of attacks on cryptographic modules that currently do not have specific testing available. This differences paper summarizes the changes from FIPS 140-1 to FIPS 140-2 and documents the detailed requirements.
and Oldehoeft, A.
A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=151243
(Accessed December 3, 2023)