kalshecyraut

What is FIPS 140-2 and how does it effect you?

Discussion created by kalshecyraut on Apr 13, 2018

I wanted to start a discussion today to inform about FIPS 140-2 and to see if it is affecting those working with Blackfin Processors.

 

So, what is FIPS 140-2?

 

In ancient times couriers used to carry important documents containing stratagem and details about military movements and goals between front-line commanders and their king/emperor/ruler. It was soon realized, by opposing factions, that if you could catch these couriers in route you could learn what your opponent was up to and use it to thwart or deter their efforts. To that end it became necessary to come up with a solution where if your communications were intercepted, your opponents wouldn't be able to read it. So was born cryptography. The practice of encoding a message in such a way that it was not easily decoded unless you had advanced knowledge of the method used to "confuse" the original message.

 

As time went on and with the advent of computers old encryption methods became obsolete and more sophisticated techniques took their place. Today there are countless hours spent trying to break the latest encryption standards and sometimes there are successes. Some of these successes can be attributed to poor implementation of the encryption method, others are due to the mathematical design itself breaking down. So how do you know if the encryption you are using is safe? A need arose for a governing body that would identify STRONG algorithms vs. WEAK ones and approve them for use in government communications. Such a governing body would also be responsible for ensuring that any approved algorithm was rigorously tested for correctness of implementation and free of exploitable weaknesses. So was born the National Institute of Standards and Technology (NIST).

 

NIST rigorously stresses cryptographic solutions to see how the encryption behaves and if it has been implemented correctly. If an implementation passes all the tests and requirements it receives a stamp of approval referred to as the "Federal Information Processing Standards" (FIPS) validation. Only once such a validation has been received can that module or software then be used by the federal government for transporting communications and other sensitive data.


At this point in my rant you might find yourself asking: "Who really cares anyway, what does any of this have to do with me?".

 

If you are creating a product that consumes crypto and it has a potential for use by a government agency or employee chances are high that it will have to be FIPS validated before it can be sold to or used within the government. Furthermore, there are other entities starting to make FIPS validated crypto a requirement outside of the Federal government. To expand the market potential of your product or service it is worth understanding what FIPS is and why it is quickly gaining popularity in our ever-connected world where anything from your coffee pot to your car can send communications over the open internet.

 

wolfSSL has done FIPS validations on many devices, everything from a bare-metal IoS device that controls the amount of fluid delivered to a patient via intravenous IV to back end servers that service hundreds of thousands of client connections per day. wolfSSL has not yet validated on a Blackfin Processor though! If you are willing and think you might have a solution that would meet these criteria I would love to hear about your product and if there is a way wolfSSL can be of assistance to you! wolfSSL has a great relationship with our FIPS lab and has stream-lined the validation process. Where it can often take up to a year to get validated wolfSSL can cut that time to just 3 - 4 months with our industry leading FIPS expertise.

 

---------

 

As a closing thought it's worth mentioning that SSL/TLS consumes crypto and wolfSSL which had already implemented draft 18, 22, and 23 of TLS v1.3 has just finished implementing draft 28 as well! I would love to hear any thoughts on FIPS validated TLS 1.3 and if there has been any need or demand for that on a Blackfin Processor.

 

Thank you for taking the time out of your day to read this discussion. I look forward to your feedback!

Outcomes