FIPS PUB 140-2: Security Requirements for Cryptographic Modules
5 hours 58 minutes
Welcome back to CyberRays. It's of course I'm your instructor, Brad Roads. Let's jump in to Phipps. 1 40. Tattoo, cryptography. And so, Phipps. The word stands for federal information processing, Sanders. And you might say,
Well, Brad, that's not in this special pub. Well, it hasn't become a special pup yet, but will eventually. The fifth standards were actually created of initially by the National Security Agency in the United States, and they were handed off to Ernest. So what we're gonna talk about in this video, we're gonna talk about security levels that come right out of Phipps. We're gonna talk about crypto module interfaces, which are
super important. Member. We talked about those external and internal interfaces previously in the S E processes. Well, guess what.
This gets really important. We're gonna talk about roles. We see. I'm gonna talk about the types of operator authentication as it relates to crypto.
So for security levels,
when it comes to cryptography, as specified in 51 40 tech to one, I don't need any authentication. That's great, right? I can use commercial capabilities to build my crypto modules. Pretty straightforward, right? Enroll to I'm gonna do roll based authentication. That means
you know, the user has a role. Maybe there. Ah, kee Loader. Maybe they're an operator. Whatever the case may be,
right. And now we have to introduce things like evidence tampering and audit capabilities.
Identity based access control. Now, I need to have some way to identify who is logging in and using the cryptographic device, right? I mean, oh, now we have something called zero ization. Which means can I clear out the memory of the cryptographic device, right? S so that it cannot be, you know, downloaded by somebody external
on then. Of course, we have security level four, which is now identity based authentication. But now we're need to do at a minimum evaluation assurance level e a level four in the common criteria. And then we also need thio. Make sure that we're not gonna have environmental failures. So each of these security levels and if you remember anything about the security levels related to crypto,
they build on each other. So when I go from 1 to 2,
I could use commercial, right? I'm gonna have to have ever Manella at evidence of tampering, right? If I go to a level three. I've got to have ceiling. I've got to have evidence of tampering. And now I'm civilization capable, etcetera. Right. So just keep that in mind that each of these is a build
crypto module interfaces. We have
data input, data output. Right. So that's how we put data into a module. And that's how we get data out. Right? So I think we're gonna put in the keys in right and information like that. Right? And the data output could be the cipher text that comes out of the module. Then we have the control input, the control input. It's pretty straightforward. Thes air the command signals.
How do I tell the module, the crypto module? What to do,
Right. And then the last one is the status output. Right? And that's where we look at the indicators. How is the module performing? Is it working right? Is it provided you get said it, does it give me an error? Right. So those are the interfaces you will see with crypto modules.
We have three primary roles, and we deal with crypto. We've got a user role. And so those are people that use the crypto module,
right? And when we were talking crypto modules here. Right. Um, we're thinking about, like, some of the physical crypto modules, right? We also see cryptography done digitally and electronically, just like we're talking about here, right? And the same kinds of things applying. We we we you don't don't think that we're not going to see these roles with, you know, digital
online cryptographic capabilities.
So we have user roles. Most of us have done this user role, if you've ever I don't know, bought something from une commerce website. And yet you looked up in the left hand side of the screen there, and you saw the lock. Well, guess what? You're a user role. The crypto officer role is somebody that manages the cryptographic keys.
Right? So and and anything associated with that, and then we have a maintenance role. We're thinking about physical cryptography. Cryptography devices, right. The maintenance roll. These air specially certified folks, you know, cracking open a cryptographic device. And you know, physical cryptographic device, right?
Usually is something that has got need, specialized skills
and certification, because potentially looking inside the device could give away how the device works. And so those folks are going to be specially certified.
And then we have two types of operator authentication. We have role based and identity based. So role based is really simple. I say that you're a ah, device operator, and that's your role. And you're going to say when you log in to, say, a physical cryptographic device, you're gonna be able to say, Hey, um, I am a user
and it allows you certain things you can do
Identity based, obviously, is a much higher evaluation assurance level and identity based one. I now have to prove akin toa I triple A that I should be accessing this cryptographic device, and that could be done the multiple ways right. But you're establishing your identity from an operator perspective.
So in this lesson, specifically talking about 51 40 Tech to we talked about the different security levels and that there are built. We talked about the different kinds of interfaces we find. We talked about roles within the physical cryptography space, and we talked about operator authentication. Whether it is ah, role based or identity based,
we'll see you next time in our module summary