The National Institute of Standards and Technology (NIST) issued the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code.
User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations.
The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.
--来源wiki
密码算法和密码模块是信息系统安全之源,任何安全协议或系统都是基于密码而设计的,而密码算法和密码模块的正确实现却往往被忽略。IT厂商关注完善产品实现的功能性的同时,应该加强重视密码算法和密码模块的设计、开发和维护流程,以及第三方代码的安全性控制。从宏观的层面,信息安全体系建设的三大属性——机密性、完整性和可用性都离不开密码算法和密码模块的安全保障。
FIPS 140是密码模块安全性需求的最为重要的标准之一,也是业界衡量密码实现的准则。如果机构的信息或数据需要通过密码的方式进行保护,比如金融或者政府机构,那么FIPS 140-2标准则被适用。经过该标准符合性评估认证的产品模块将满足这些机构的密码系统技术要求,目前世界范围很多机构的IT产品采购和招标要求中均提出了产品满足FIPS 140-2的需求。
博文
没有评论:
发表评论