Federal Information Processing Standard (FIPS PUB140-2)
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Intermediate
Video Transcription
00:00
>> We've talked about how encryption
00:00
>> is an essential strategy for protecting
00:00
>> data in Cloud environments.
00:00
>> But how can you be sure that
00:00
the hardware and software
00:00
>> used to enforce these encryption schemes
00:00
>> is in itself secure?
00:00
>> Well, that's really where the FIPS
00:00
140-2 standard comes in.
00:00
In this lesson, we're going to talk about
00:00
the FIPS standard and its role in encryption,
00:00
the different levels of the FIPS standard,
00:00
as well as the process for having
00:00
a piece of hardware or software
00:00
>> meet the 140-2 standard.
00:00
>> The FIPS 140-2 standard
00:00
>> is really the standard set
00:00
>> by the US government
00:00
>> for approving cryptographic modules.
00:00
>> Cryptography is the study of rendering
00:00
information unreadable
00:00
>> if intercepted by an adversary.
00:00
>> The algorithms that are developed
00:00
>> in cryptography are used to enforce
00:00
>> encryption and encrypt data.
00:00
>> FIPS has a distinction here between
00:00
systems that are FIPS compliant
00:00
versus those that are FIPS validated.
00:00
A system that's compliant may meet 1-4 level scheme,
00:00
but a validated system is one that's actually tested.
00:00
FIPS 104-2 level 1 provides
00:00
>> the lowest level of security.
00:00
>> No specific physical security mechanisms
00:00
are required in security level 1,
00:00
cryptographic modules beyond the basic requirements
00:00
for production grade components.
00:00
Level 2, on the other hand,
00:00
improves upon the physical security
00:00
>> mechanism of the first level,
00:00
>> because the cryptographic module
00:00
>> requires features that show evidence of tampering,
00:00
>> meaning if something shows up,
00:00
if someone attempted to manipulate
00:00
>> or mess with the integrity to the device.
00:00
>> Security level 3,
00:00
attempts to prevent an intruder
00:00
>> from gaining access to
00:00
>> the critical security parameters
00:00
held within the cryptographic module.
00:00
Level 4 takes it, of course,
00:00
>> a level further and provides
00:00
>> the highest level of security.
00:00
>> At this security level,
00:00
>> the physical security mechanisms
00:00
>> provide complete envelope of protection
00:00
>> around the cryptographic module,
00:00
and the intent is of detecting
00:00
>> and responding to any unauthorized
00:00
>> attempts at physical access.
00:00
>> Penetration of the cryptographic module
00:00
>> enclosure for any direction
00:00
>> has a high probability of being detected
00:00
>> and results in the immediate
00:00
>> deletion of the plain text.
00:00
>> Quick question, which FIPS 140-2 level
00:00
prevents intruders from accessing the CSP,
00:00
but does not delete the CSP
00:00
>> upon detecting a penetration?
00:00
>> Level 2, level 3 or level 4?
00:00
If you said Level 3, you're correct.
00:00
Level 2, that shows a certain degree of tampering,
00:00
>> it detects tampering.
00:00
>> Level 4, upon detection of a penetration or intrusion,
00:00
deletes the clear text within
00:00
>> the cryptographic module.
00:00
>> We talked about the FIPS standard,
00:00
about how it really sets
00:00
the US government standard
00:00
for approving cryptographic modules.
00:00
We talked about the difference between
00:00
>> devices being compliant versus validated.
00:00
>> We talked about the four different levels.
00:00
Now, by insisting or following up on this standard,
00:00
you can really identify whether
00:00
>> there are potential risks
00:00
>> in terms of the strength of the security
00:00
>> of your underlying hardware or software
00:00
>> used to enforce encryption in your Cloud environments.
00:00
>> See you in the next lesson.
Up Next
Hardening Devices
Jurisdiction Requirements
Protecting Data in Transit
Data Storage Architecture
Data Retention Policy
Instructed By
Similar Content
