<html><body bgcolor="FFFFFF">

<center><h1>CSL BULLETIN</H1><br>

<h2>For FIPS 140-1</H2></CENTER>

<b>FIPS 140-1:  A FRAMEWORK FOR CRYPTOGRAPHIC

STANDARDS</B><br>

On July 17, 1995, the National Institute of Standard and

Technology (NIST), Computer Systems Laboratory (CSL),

established

the Cryptographic Module Validation (CMV) Program which

validates

cryptographic modules to Federal Information Processing Standard

(FIPS) 140-1, Security Requirements for Cryptographic Modules. 

Under this program, vendors of cryptographic modules use

independent, accredited testing laboratories to have their

modules tested.  The program was jointly developed by NIST and

the Communications Security Establishment of the government of

Canada.  Products validated as conforming to FIPS 140-1 will be

accepted for use by the federal agencies of both countries for

the protection of sensitive, unclassified information.  The goal

of the CMV Program is to provide federal agencies with a security

metric to use in procuring equipment containing cryptographic

modules.  The results of the independent testing, by accredited

laboratories, provide this metric.  Federal agencies can choose

products from the FIPS 140-1 Validated Products List and know

that their FIPS 140-1 requirements have been met.

<p>

This bulletin discusses when and how FIPS 140-1 should be used

and examines the benefits that agencies can derive in using the

standard.  While the bulletin highlights several critical issues

that federal agencies need to consider, agencies should rely on

FIPS 140-1 for precise applicability statements, requirements,

and policy for use.

<p>

<b>FIPS 140-1 as a Framework Standard</B><br>

A cryptographic module is that part of a system or application

that provides cryptographic services such as encryption,

authentication or electronic signature generation and

verification.  A cryptographic module that is designed to meet

FIPS 140-1 incorporates cryptographic algorithms and functions

specified in related FIPS and other security features that are

necessary for the security of the module.  The standard is

flexible in that it allows application or program managers to

choose the robustness of the security features and functionality

that is needed.  The standard specifies four increasing security

levels to allow for cost-effective cryptographic solutions that

are appropriate for different degrees of data sensitivity and

different application environments.  FIPS 140-1 defines the

framework for NIST's current and future cryptographic standards. 

<p>

<b>Background</B><br>

Federal Standard (FS) 1027, General Security Requirements for

Equipment Using the Data Encryption Standard, was issued by the

General Services Administration in 1982.  The standard prescribed

the minimum general security requirements for the implementation

of the Data Encryption Standard (DES) in telecommunications

equipment and systems used by the federal government.  The

responsibility for FS 1027 was transferred to NIST in 1988 and FS

1027 was redesignated as FIPS 140.

<p>

NIST recognized the need to revise FIPS 140 to reflect the

evolving needs of users and manufacturers, and to incorporate

current trends and capabilities in technology.  A notice was

published in the Federal Register in 1988 to solicit the views of

industry, the public, and federal, state and local governments

regarding the planned revision of FIPS 140.  NIST received

numerous comments which encouraged the planned revision and

offered specific suggestions for changes.

<p>

The resulting revised standard, FIPS 140-1, Security Requirements

for Cryptographic Modules, was developed by a committee of

government and industry participants which was organized by NIST

in 1989.  A Federal Register notice in 1991 announced the

proposed revision of the standard and requested comments from

government and industry.  Numerous comments and suggestions

were

received, many of which were incorporated into the final version

of the standard.  On January 11, 1994, NIST issued FIPS 140-1 as

an approved standard, with an effective date of June 30, 1994.

<p>

<b>Applicability</B><br>

For all federal agencies, including defense agencies, the use of

encryption products which conform to FIPS 140-1 is mandatory for

the protection of sensitive unclassified information when the

agency determines that cryptographic protection is required. 

Note that information covered by 10 U.S.C. 2315, commonly

referred to as the Warner Amendment, is excluded from this

requirement.  Agencies are required to use the standard in

designing, acquiring, and implementing cryptographic-based

security systems within computer and telecommunications systems

(including voice systems). 

<p>

<b>Definition of a Cryptographic Module</B><br>

A cryptographic module (cryptomodule) is a set of hardware,

firmware or software, or some combination thereof, that

implements cryptographic logic or processes.  Examples include a

standalone piece of equipment such as a link encryptor, an add-on

encryption board embedded into a computer system, and a software

application running on a microprocessor such as a digital

signature application that services many other applications.  If

the cryptographic logic is implemented in software, then the

processor which executes the software is also part of the

cryptographic module. 

<p>

<b>Structure of the Standard</B><br>

FIPS 140-1 identifies eleven areas of security requirements over

the following four security levels:



The <b>Level 1</B> requirements of the standard specify the basic

security requirements for a cryptographic module (e.g., the

encryption algorithm must be FIPS-approved).  No physical

security mechanisms are required for the module beyond the

requirement for production-grade equipment.  Level 1 allows the

use of integrated circuit (IC) cards (i.e., smart cards) and

software implementations which are utilized in general purpose,

single-user personal computers (PC).  NIST believes that such

implementations are often appropriate in low-level security

applications.  Smart cards enhance the security of most systems. 

Since the card is kept in the user's possession, additional

physical security measures are often not necessary.  Many vendors

use smart cards as a secure medium when distributing

cryptographic keys.  The implementation of PC cryptographic

software may be more cost-effective than hardware-based

mechanisms.  

<p>

<b>Level 2</B> improves on the physical security of a Level 1

cryptographic module by adding the requirement for tamper

evidence through the use of tamper-evident coating or seals, or

pick-resistant locks.  These requirements provide a cost-

effective means for physical security and avoid the cost of the

higher level of protection required at Levels 3 and 4.  The basic

security concept is that the coating or seal placed on the module

would have to be broken in order to attain physical access to the

plaintext cryptographic keys and other critical security

parameters within the cryptographic module.  Level 2 provides

role-based authentication which allows groups of users to utilize

the services of the cryptographic module without each user being

uniquely identified.  For example, a set of security officers may

all use their own copy of the same physical key that is inserted

and turned to reset a cryptographic module to an operational

status.  The cryptographic module can authenticate that the user

is a security officer; however, the module does not uniquely

identify which officer.  

<p>

Level 2 requirements also allow software cryptography in multi-

user, multi-tasking systems when used in conjunction with a C2

or equivalent trusted operating system.  The controls provided by

a trusted operating system are needed to maintain the security

necessary for protected information such as private or secret

keys, authentication information, the algorithm software, and

other necessary parameters.  

<p>

A <b>Level 3</B> cryptographic module has requirements that help

to

prevent an intruder from gaining access to the cryptographic

keys, authentication data, and other security parameters held

within the cryptographic module.  The covers and doors of the

module contain zeroization circuitry such that an unauthorized

attempt to open a cover or door will zeroize the keys,

authentication data, and other security parameters.  The keys,

authentication data, and other security parameters are input to

the module through separate ports and trusted paths.  The key

management requirements at this level specify split-knowledge

techniques.  A split-knowledge technique ensures that a

cryptographic key is under the control of two or more users. 

Each user has a key component which, individually, conveys no

knowledge of the resultant key.  Level 3 allows software

cryptography in multi-user, multi-tasking systems when a B1 or

equivalent trusted operating system is employed.

<p>

A <b>Level 4</B> cryptographic module provides an envelope of

protection

around the cryptographic module.  The intent of Level 4

protection is to detect a penetration of the device from any

direction (rather than just attempts at the cover or door covered

by Level 3 requirements) and respond by destroying critical

information before it can be acquired.  For example, if one

attempts to cut through the cover of a cryptographic module, the

attempt should be detected and all critical security parameters

should be zeroized.  Level 4 allows software cryptography in

multi-user, multi-tasking systems when a B2 or equivalent trusted

operating system is employed.  A B2 operating system provides a

large number of assurances of the correct operation of the

security features of the operating system.

<p>

<b>The Eleven Security Requirements Areas</B><br>

<b>Cryptographic Module Specification</B> requirements ensure

that the

cryptographic module is explicitly defined.  Modules must have

defined hardware components, software components, and firmware

components if applicable.  The module must have a stated security

policy that is reflected in the design and intended use of the

module.  The module must have every operational and error state

defined as specified in the <b>Finite State Machine Model</B>

requirements.  The requirements in these areas help agencies to

determine exactly what a particular cryptographic product

consists of, help ensure that vendors use good design techniques

in building a cryptographic module, and allow NIST to more easily

determine if the requirements for a particular module have been

met.

<p>

<b>Module Interface</B> requirements help ensure that all

information

flow and physical access to and from the module are well-defined

and controlled.  At the higher security levels, requirements help

ensure that critical information such as authentication

information and cryptographic keys are not compromised when

entered or output from the module.  

<p>

<b>Roles and Services</B> requirements help ensure that the

module

supports defined authorized roles and corresponding services. 

The module must also provide a mapping of the services to the

roles.  At Level 2, the module must be able to authenticate that

an operator of the module can assume a specific role (i.e., role-

based authentication).  At Levels 3 and 4, the module must be

able to uniquely authenticate the operator (identity-based

authentication).

<p>

<b>Physical Security</B> requirements help restrict unauthorized

physical access to the contents of the module and to deter

unauthorized use or unauthorized modification of the module. 

Level 1 requires standard protection provided by production-grade

techniques.  Level 2 requires that modules can show evidence of

tampering.  Level 3 requires that modules zeroize unprotected

cryptographic keys, authentication data, and other important

information when the module detects tampering or an unauthorized

access attempt through the cover or doors of the module's

enclosure.  Level 4 requires that modules respond as in Level 3;

however, the module must detect tampering or attempts anywhere

on

the module's enclosure.

<p>

<b>Software Security</B> requirements apply to security-relevant

software or firmware that may be contained within the module. 

These requirements help ensure that the software corresponds to

and has correctly implemented the defined security policy of the

module.  At Level 4, more vigorous requirements require formal

proof of this correspondence.

<p>

<b>Operating System Security</B> requirements help protect

cryptographic

software implementations in modules where untrusted software will

also be used.  The Level 1 requirements allow software

cryptographic functions to be run on a general-purpose PC. 

Requirements at the higher levels help ensure the security of

software cryptography in multi-user, time-shared systems by

requiring a trusted operating system.

<p>

<b>Key Management</B> requirements help ensure the security of

cryptographic keys throughout the cryptographic key life cycle. 

Requirements in this area relate to key generation, distribution,

entry, use, storage, destruction, and archiving.  FIPS approved

methods are required for key generation and distribution. 

However, until a FIPS approved public key-based key distribution

technique is established, commercially available public key

methods may be used (e.g., the Diffie-Hellman public key

distribution technique).  To prevent the compromise of

electronically distributed secret or private keys, requirements

specify that the keys should always be entered into or out of the

module in encrypted form.  Manually distributed keys, which

should be protected using safeguards and procedures that are

beyond the scope of this standard, can be entered or output from

the module in plaintext form at Levels 1 and 2.  Levels 3 and 4

requirements provide for applications where dual control of keys

are needed.  This requires the module to support key entry by

either entering the key in encrypted form or using split-

knowledge procedures.  Split-knowledge procedures force the key

to be entered or output as two key components.  

<p>

The <b>Cryptographic Algorithm</B> requirement mandates that

the module

implement a FIPS approved cryptographic algorithm.  The current

FIPS approved cryptographic algorithms include:  the Data

Encryption Standard (FIPS 46-2) and the Escrowed Encryption

Standard (FIPS 185) for encryption; the Computer Data

Authentication Standard (FIPS 113) and the Digital Signature

Standard (FIPS 186) for authentication and signature

generation/verification; and the Secure Hash Standard (FIPS 180-

1) for use when a secure hash algorithm is required.  Modules

must meet the requirements within the respective standard of the

implemented algorithm.  In addition to FIPS approved algorithms,

products may also contain other algorithms that are not FIPS

approved.  However, an algorithm that is not FIPS approved may

not be used in lieu of the FIPS approved algorithm for government

applications.

<p>

<b>Self-Test</B> requirements help ensure that the cryptographic

processing of the module is operating correctly.  These self-

tests check the cryptographic algorithm, software, and firmware

integrity and other vendor-defined critical functions.<p>



<b>Effective Use of FIPS 140-1</B>

The following steps are recommended when implementing a

cryptographic system:<br>

<ul>

<li>Identify information resources and determine the sensitivity

to and potential impact of losses.  Determine security

requirements based on risk assessment and applicable

organizational security policies.  Look at data sensitivity and

the environment in which the data is placed.  Consider threats to

the data or application as a whole, and what level of risk is

acceptable.  Define this level of risk.

<br><br>

<li>Determine the acceptable safeguards for the system under

review.  Determine which cryptographic services provide an

acceptable safeguard.  Define those security features that are

desirable for use in a cryptographic environment.  

<br><br>

<li>Examine FIPS 140-1.  Consider the requirements in each area. 

Determine those requirements that specify the features that are

desired.  Determine those requirements (if any) specified in FIPS

140-1 that were not originally considered.  Specify the

appropriate level in each area of the standard based on the

acceptable level of risk.

<br><br>

<li>Obtain or develop cryptographic modules that meet or exceed

the selected levels.

</UL><br>

While the security requirements specified in this standard are

intended to maintain the security of the cryptographic module,

conformance to FIPS 140-1 does not guarantee that a particular

module is secure.  It is the responsibility of the manufacturer

of a cryptographic module to build the module in a secure manner. 

Similarly, the use of a cryptographic module that conforms to

this standard in an overall system does not guarantee the

security of the overall system.  The responsible authority in

each agency must assure that an overall system provides an

acceptable level of security.  

<p>

<b>Selecting an Appropriate Level</B><br>

An application or program manager need not choose the same level

for all eleven requirements.  The standard's flexibility allows

for choosing different levels among the eleven requirement areas. 

Using this flexibility is encouraged.  As an example, consider an

organization that will be using a digital signature generation

and verification software implementation on a multi-tasking,

multi-user operating system.  The organization determines the

need to use a trusted operating system to protect the integrity

and availability of the encryption software for all system users. 

The organization may require Level 2 Operating System

requirements.  The organization then determines that solid key

management, including split-knowledge procedures, is critical in

this application and requires Level 3 Key Management

requirements.  However, only Level 1 Physical Security

requirements for the system are necessary since the controls and

procedures used to maintain a secure facility and the personnel

operating the system are adequate in protecting the system

physically.  As this example shows, a different level of the

standard can be chosen for the different areas covered by the

standard.

<p>

<b>Determining Conformance to FIPS 140-1</B><br>

The CMV Program validates cryptographic modules as conforming

to

FIPS 140-1.  The National Voluntary Laboratory Accreditation

Program (NVLAP), administered by NIST, accredits independent

testing laboratories to perform the FIPS 140-1 tests.  Vendors of

cryptographic modules use these laboratories to have their

modules tested.  The accredited laboratories send the test

results to NIST.  

<p>

Based on the test results from these laboratories, NIST

determines the level of conformance to the standard and issues an

appropriate validation certificate of conformance.  Since the

initiation date of the CMV Program was July 17, 1995, NIST

encourages federal agencies to begin specifying FIPS 140-1

validated products in their procurements.  However, federal

agencies may accept written affirmation from cryptomodule vendors

as evidence of conformance to FIPS 140-1 until January 31, 1996. 

After that date, agencies should procure only those products that

are either validated or have been submitted to an accredited 

testing laboratory for testing.  After January 31, 1997, federal

agencies should procure only products that have been validated by

NIST under the CMV Program.  The list of validated products is

available electronically at http://csrc.ncsl.nist.gov.

<p>

Products that have been endorsed by the National Security Agency

as meeting FS 1027, or have been affirmed in writing as meeting

FIPS 140, can be purchased without NIST validation until June 30,

1997.  After that date, agencies should purchase products only if

they have been NIST-validated.  Agencies that purchase equipment

under the conditions above may continue to use the equipment

without requiring further affirmation or validation for

conformance to this standard.  NIST maintains a list of products

that are available under the FS 1027 and FIPS 140 provisions. 

<p>

For More Information

FIPS 140-1, the validated products list, and a listing of NVLAP

accredited laboratories are available electronically at

http://csrc.ncsl.nist.gov.  FIPS 140-1 can also be obtained in

hard copy from the National Technical Information Service (NTIS)

at (703) 487-4650.  Questions regarding the CMV Program should

be

directed to Lisa J. Carnahan at (301) 975-3362 or

[email protected]. 

<br><hr><br>

</BODY></HTML>