slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Mind the Gap: Updating FIPS 140 PowerPoint Presentation
Download Presentation
Mind the Gap: Updating FIPS 140

Loading in 2 Seconds...

play fullscreen
1 / 15

Mind the Gap: Updating FIPS 140 - PowerPoint PPT Presentation


  • 198 Views
  • Uploaded on

Mind the Gap: Updating FIPS 140. Steve Weingart Futurex 864 Old Boerne Rd. Bulverde, TX 78163 weingart@futurex.com Steve R. White IBM Thomas J. Watson Research Center P.O. Box 704 Yorktown Heights, NY 10598 srwhite@watson.ibm.com. Outline. History FED Standard 1027 FIPS 140 – 1

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Mind the Gap: Updating FIPS 140' - riona


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Mind the Gap: Updating FIPS 140

Steve Weingart

Futurex

864 Old Boerne Rd.

Bulverde, TX 78163

weingart@futurex.com

Steve R. White

IBM Thomas J. Watson Research Center

P.O. Box 704

Yorktown Heights, NY 10598

srwhite@watson.ibm.com

outline
Outline
  • History
    • FED Standard 1027
    • FIPS 140 – 1
  • Levels
    • Changes in Technology
    • Changes in Standards and the Environment
  • Proposal: Level 3.5
  • Discussion/Questions
history
History
  • Federal Standard 1027 was primarily a hardware standard for line encryption devices using single DES
  • NIST developed FIPS 140 as a replacement
    • It is more generalized.
    • It accepts both hardware and software implementations
    • It has the 11 criteria that cover the complete design
  • During the development of FIPS 140 a level based system was proposed and accepted
  • FIPS 140-1 was made official in 1994
    • It became widely accepted
  • FIPS 140-2, the first update, was made official in 2001
history cont
History (cont)
  • Things have changed
    • Both attack and defense technologies have improved
    • Industry needs & requirements have changed
    • The standard, and its applicability, evolves
slide7

Changes

  • Attack Technologies have developed
    • The Internet has become a forum for development
    • Script Kiddies can obtain and try many software attacks beyond their skill level
    • Expensive tools that were difficult to obtain are now available
      • SEM
      • FIB
      • NC Machining
  • Defense technologies have held up, mostly
    • Not a great deal of new development
    • That is mostly OK, since the higher levels have held
changes cont
The customer population has become larger and more sophisticated

Banking and Financial

USPS

In General FIPS 140 has become accepted ‘Due Diligence’for commercial cryptographic devices

This has spotlighted some need for change in the standard

Changes (cont)
the gap
The Gap
  • FIPS 140 has 4 levels
    • These 4 levels correspond roughly to levels 1, 2, 3 & 6 from the originally proposed system
  • So, there is a large gap between level 3 and level 4
  • A typical level 3 device can cracked in a few hours by anyone with reasonable skills
  • No level 4 device has been cracked publicly
  • But, the level 4 requirements are so difficult that there are almost no level 4 devices
slide11

The Gap

  • There are 179 level 1 validations, 247 level 2 validations, 120 level 3 validations & 11 level 4 validations (557 total)
  • Of the level 4 devices, about half are unique, the rest are delta/re-validations.
  • Level 4 is too difficult develop, and too expensive to manufacture for most vendors
  • But industry requirements need more than level 3
  • USPS and ANSI both require tamper detection, UPSP requires EFT/EFP
  • We need something new
the proposal
The Proposal
  • Level 3.5
    • Essentially level 3 plus:
    • Tamper detection required
      • 1 – 1.25 mm max undetected hole
      • Same as level 4 for single chip
    • EFT/EFP
    • Informal modeling
slide13

The Advantages

  • Meet new & emerging requirements for security that is stronger than level 3
  • Avoid the most difficult requirements of level 4:
    • Formal modeling
    • Any/All tamper detection envelope
  • This level of security is reasonable to develop and manufacture
thank you
Thank You!

Steve Weingart

weingart@futurex.com

Steve R. White

srwhite@watson.ibm.com