Is your Web site FIPS compliant?

SECURITY ADVISER

FIPS compliance can be the key to working smoothly with servers and clients both in and out of government service

By Roger A. Grimes
February 15, 2008

Talkback

E-mail

Printer Friendly

Reprints

I’ve been involved in a lot of FIPS-compliance Web site testing lately. I’m a crypto hobbyist, not a crypto expert, so I hesitate to write about it, but I’ll explain the basics as well as I understand them. Crypto experts, please write in if I messed up something important.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

FIPS stands for the Federal Information Processing Standard, essentially a series of standards and mandates for U.S. government agencies and supporting contractors. In many cases, if your product or service is not FIPS compliant/certified, the government can’t use it. The FIPS documents are so respected that many other countries mandate them as well or have incorporated the bulk of their guidance into international standards.

There are many FIPS mandates, but the public pronouncements most Web site administrators care about is FIPS 140, which approves various cryptographic ciphers for hashing, signature, key exchange, and encryption purposes. FIPS 140-1 was approved in January 1994 and included the 64-/56-bit Data Encryption Standard (DES), which has since been removed as supported cipher. FIPS 140-2 was released in May 2001 and includes all the current approved ciphers, including the ones listed below:

Symmetric ciphers
AES
3DES
Skipjack/KEA (EES)

Asymmetric Key-Signature
DSA
RSA
ECDSA
MAC
3DES

Hashes
SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512

(Taken from "Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules")

It surprises many people to learn that Triple-DES (3DES) is still FIPS compliant; it is and will be for many more years. FIPS 140-3, the latest version, is currently under review and should be approved in 2009. Windows XP (RTM to SP2) is FIPS 140-1 certified. Windows Server 2003 and later, Vista, and Windows Server 2008, are FIPS 140-2 certified. The original ciphers supported in Windows XP were grandfathered to FIPS 140-2. A few ciphers were added or updated in Windows XP SP3, so XP SP3 has to be recertified, even though the ciphers are the same ones approved in Vista and Windows Server 2008. You can read the current status of any FIPS-certified product by going to this Web site; just search on your vendor’s name.

Roger A. Grimes is contributing editor of the InfoWorld Test Center. He also writes the Security Adviser blog and the Security Adviser column.

Continued
1 | 2 | NEXT PAGE »

Add to:

Digg

Talkback:

comment Post a Comment

MOST COMMENTS

XP SP3 cripples some PCs with endless reboots

OpenOffice.org beta fails the Office 2007 test

Microsoft faults OEMs for some XP SP3 endless reboots

Apple slammed on climate change

>> Talkback: Have your say

Virtualization: A Step by Step Approach to Success
Your virtual machines can be up and running in a matter of minutes. HP and Citrix have integrated XenServer with HP ProLiant servers and management tools, powered by hardware-assisted Intel Virtualization Technology to enable high- performance, cost-savings solutions for server consolidation and disaster recovery. Sponsor: HP

» Click here to view this Webcast

The Data Protection You've Been Looking For
Enterprise data is of supreme importance. If you can't find it quickly, it's worthless. If you lose it, it's a crisis. This IT Strategy Guide explores how to keep your data safe.

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

It Really Is Easy to be Green - "Green IT" is a popular concept. And IT organizations are learning the influence that IT purchase decisions have on data...
Key Strategies For SOA Testing - SOA requires a unique approach to testing. Unless you're willing to reorient your testing procedures and technology now,...
Eliminate Botnet Security Risks - Botnets are widely regarded as the top threat to network security. This Whitepaper explains how botnets have traditionally...
Zero Day Protection For Your Network - Zero day attacks are a growing threat because they pass undetected through conventional signature-based defenses. Rather...
The Missing Piece of Virtualization - Server virtualization saves money and increases flexibility. But, challenges exist as I/O-intensive applications like databases...
Prevent Your Next Microsoft Exchange Outage - E-mail is mission critical, so why only back up data and not the entire e-mail infrastructure? Continuous application protection...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

Is your Web site FIPS compliant?

MOST COMMENTS

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Video

Podcasts

InfoWorld Blogs

Columnists

Find Products and Companies

Resource Center

Sponsored Technology Links

Sponsored Technology Links
Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit CA - Manage your IT more effectively. Efficient - Flexible - Compliant CA - Plan better, manage better. Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. Rackspace - Fanatical Support Promise: Live Support 24x7x365 HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW Collabnet - Virtual Test Lab Automation: Manage development infrastructure HP - StorageWorks All-in-One Storage Systems. hp.com/betterstorage HP - Improve Resource Utilization and Lower Operating Costs Ipswitch - WhatsUp Gold V12 - network management & monitoring for any size network. HP - Webcast: 5 Things You Need to Know About Storage Virtualization Xerox - Typhoon 8860: Enter to win a Xerox PhaserTM 8860 network color printer! BEA - Webcast: Dialing up Agility with Business Transformation Verisign - Protect Your Data with SSL HP - Speed, agility, flexibility - The HP BladeSystem c-Class. InterSystems - Development, integration, BPM, and BAM together in Ensemble Citrix - Need simple, low cost server virtualization? AMD - We're putting more and more of our energy into saving IT Xerox - Enter to win a Xerox Phaser(TM) 6180 network color printer! Mindreef - Key Strategies For SOA Testing		Citrix - Go green.Virtualize servers with Citrix XenServer(TM) - FREE Citrix - Instant server virtualization. Citrix XenServer(TM) - Free! HP - Virtualization: A Step by Step Approach to Success Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Neterion - The Missing Piece of Virtualization Seagate - Maxtor OneTouch(tm) 4 Mini backs up your PC on the go Box.net - Upgrade Your Classic Collaboration Tools Overland Security - The Data Protection You've Been Looking For Lefthand Networks - Free White Paper on Matching Server & Storage Virtualization Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Tripwire - Secure your virtual and physical environments with the same software. Crosscheck Networks - Accelerate Your SOA Projects Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM Microsoft - Microsoft Forefront security products for business. Learn more. Oracle - Fueling the Responsive Enterprise Microsoft - Meet Windows Server 2008. The server unleashed. Microsoft - Tech-Ed 08\|Microsoft's largest tech conference\|June 08 in Orlando Microsoft - {Open Source} Heroes Happen Here Xerox - Enter to win a Xerox Phaser(TM) 6360 network color printer! Vizioncore - Vizioncore has solutions for virtually any virtual need.

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS IT EXEC-CONNECT	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist