Original Press Release
NIST Requests Comments on Revised Draft of Cryptographic Module Standards
Press release date: December 16, 2009
The American National Standards Institute (ANSI) would like to inform all stakeholders that the National Institute of Standards and Technology (NIST) is requesting comments on one of its key computer security documents. The draft contains a set of information-processing standards that govern the use of cryptographic modules by civilian federal agencies and government contractors.
The Revised Draft of Federal Information Processing Standards (FIPS) 140-3 updates the federal government's guiding document for the testing and validation of cryptographic modules. As a computer's primary line of defense for confidential data, each cryptographic module receives a security-level rating that ranks the amount of protection it provides.
Comments will be accepted on the document until March 11, 2010.
The original cryptography standards document was created in 1995 and first updated in 2001. William Burr, group manager for the cryptographic technology group at NIST, explained that an update is needed because of the evolution of computing systems, how they do cryptography, and the evolution of attacks on confidential data. The current draft for review incorporates improvements that were made to a previous draft, released in July 2007 for public comment. According to NIST, key changes to the latest draft include:
While the 2007 draft proposed five levels of security, the Revised Draft reverts to the four levels currently specified in FIPS 140-2.
The Revised Draft also reintroduces the notion of a cryptographic module made with "firmware" (software only a manufacturer can alter) and defines the security requirements for it.
The Revised Draft removes the requirement for a manufacturer to provide a formal model of the cryptographic module and the details of its operation in order for it to attain the highest security level rating.
Requirements now exist at higher security levels for mitigating non-invasive attacks, which can find the keys to access a secure system not by analyzing encrypted data, but by measuring other operating characteristics, such as precise power consumption.
For more information, including details on how to submit comments, see the NIST TechBeat announcement and visit http://csrc.nist.gov/news_events/index.html#dec11.