Request a Demo

What is FIPS Compliance?

The Federal Information Processing Standards (FIPS) are standards specified by the United States Government for approving cryptographic software. The National Institute of Standards and Technology (NIST) has so far issued the FIPS 140-1 and FIPS 140-2 standards, and FIPS PUB 140-2 is the standard for “Security Requirements for Cryptographic Modules”.

The FIPS standards specify the best practices and security requirements for implementing crypto algorithms, encryption schemes, handling important data, and working with various operating systems and hardware, whenever cryptographic-based security systems have to be used to protect sensitive, valuable data. FIPS defines specific methods for encryption and specific methods for generating encryption keys that can be used.

FIPS Compliance is mandatory for US government computers, which means that all computers used for government work must be FIPS compliant. Government/federal organizations, subsidiaries, and its contractors must ensure FIPS compliance as they deal with information protected by federal government rules. Application developers who need to test their software for government computers must ensure that they perform their testing on FIPS compliant computers. Other organizations most likely need not worry about FIPS compliance.

Though FIPS 140-2 defines four levels of security, it doesn’t specify which level of security is required for a specific application.

At Comodo, we understand the difficulties associated with FIPS compliance and we will provide the necessary guidance to ensure that you achieve the needed compliance.

How Windows System Behaves with FIPS Compliance being Enabled

In order to mainly adhere to the Federal Information Processing Standards (FIPS) recommendations of the US Federal government, Microsoft had earlier recommended a setting of “Enabled” for FIPS mode, and that too only if it was absolutely necessary; however, it is now leaving the decision to customers by updating the recommendation to “Not Defined”.

Enabling FIPS mode restricts Windows and its subsystems to use only FIPS-validated cryptographic algorithms. This is, in fact disadvantageous. If FIPS mode is enabled, the Schannel system component - the component that provides SSL and TLS to applications - disallows SSL 2.0 and 3.0 protocols as they do not meet FIPS standards. This prevents web browsers using Schannel from connecting to HTTPS web sites that use protocols older than TLS 1.0.

Another disadvantage is that enabling FIPS mode prevents the .NET Framework from allowing use of non-validated cryptography algorithms. This means that enabling FIPS mode will break the .NET applications that use advanced and more efficient cryptography algorithms. Or if not, it would force the .NET applications to use cryptography algorithms that are much less efficient and slower.

FIPS Compliance Encryption Issues

In the .NET framework, three different versions of the SHA256 hashing algorithm, each having different security levels and speed are available. The fastest one among them has not yet been submitted for validation. However, it is believed that it is as secure. Enabling FIPS mode in systems with Microsoft OS will break the .NET applications as they probably use latest cryptography algorithms that are more efficient. And, if the .NET applications must necessarily work then a slower, much less efficient cryptography algorithm must be used.

FIPS Compliance Security Levels

There are only four levels of security as defined by the FIPS 140-2.

  • Security Level 1: Provides low level of security where just the basic security requirements are specified for a cryptographic module. A cryptographic module’s software and firmware components can be executed on a normal computing system that does not have a valuated operating system. This security level is useful when hardware-based mechanisms are more expensive for that system, and cryptographic software would be sufficient for security. In this scenario, network security, physical security and other administrative security measures may not be feasible or necessary. Example: A PC encryption board.

  • Security Level 2: This improves the physical security mechanisms of a Security Level 1 cryptographic module. It necessitates the need for physical tamper-evidence such as tamper-evident coatings, seals, and pick-resistant locks on removable covers or doors of a cryptographic module. The plaintext cryptographic keys and critical security parameters (CSPs) can be accessed only by breaking the seal. The cryptographic module will allow only authorized operators (after authentication) to open the seals and access the keys.

  • Security Level 3: This level offers much more security than Level 2. This prevents unauthorized access to CSPs within the cryptographic module. The physical security mechanisms are more sensitive than Level 2 and are better at detecting and responding to unauthorized physical access attempts or modification of the cryptographic module. The security measures may include stronger enclosures, as well as tamper-detection/response circuitry that nullifies the plaintext CSPs whenever the doors of the cryptographic module are opened without authorization.

  • Security Level 4: This offers the highest security level, where the physical security mechanisms provide total enveloping protection around the cryptographic module, with the capacity to detect and respond to all unauthorized physical access attempts. Detection of penetration leads to immediate deletion of all plaintext CSPs.

Attackers may attempt to compromise the security of cryptographic modules by modifying the environmental conditions. The typical voltage and temperature are modified to attempt intrusion, and access the CSPs. Special environmental protection features must be able to detect such unauthorized attempts and delete the CSPs so as to prevent sensitive data access.

Our product can help you with FIPS compliance issues and can also keep away SSL sniffing. Our product offers level-four protection and ensures that you are compliant. Contact Comodo to learn more about FIPS compliance.