FIPS PUB 140-2: Security Requirements for Cryptographic Modules
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
5 hours 58 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Welcome back to Cybrary.
00:00
Yes, of course, I'm your instructor, Brad Rhodes.
00:00
Let's jump into FIPS 140-2, Cryptography.
00:00
FIPS, the word stands for
00:00
Federal Information Processing Standards.
00:00
You might say, well,
00:00
Brad, that's not a NIST special pub.
00:00
Well, it hasn't become
00:00
a special pub yet, but it will eventually.
00:00
The FIPS standards were actually created initially by
00:00
the National Security Agency in
00:00
the United States and they were handed off to NIST.
00:00
What are we going to talk about in this video?
00:00
We're going to talk about security levels
00:00
that come right out of the FIPS.
00:00
We're going to talk about crypto module interfaces,
00:00
which are super important.
00:00
Remember, we talked about those
00:00
external and internal interfaces
00:00
previously and the SE processes.
00:00
Well, guess what? This gets really important here.
00:00
We're going to talk about roles we
00:00
see and we're going to talk about the types of
00:00
operator authentication as it relates to crypto.
00:00
Four security levels when it comes to
00:00
cryptography as specified in FIPS 140-2.
00:00
One, I don't need any authentication. That's great.
00:00
I can use commercial capabilities
00:00
to build my crypto modules.
00:00
Pretty straightforward, right? In Role 2,
00:00
I'm going to do role-based authentication.
00:00
That means the user has a role,
00:00
maybe they're a key holder,
00:00
maybe they're an operator, whatever the case may be.
00:00
Now we have to introduce things
00:00
like evidence tampering and audit capability.
00:00
Identity-based access control.
00:00
Now I need to have some way to
00:00
identify who is logging
00:00
in and using the cryptographic device.
00:00
I mean oh, now we have something called zerorization,
00:00
which means can I clear out the memory of
00:00
the cryptographic device so that it
00:00
cannot be downloaded by somebody externally?
00:00
Then of course we have security Level 4,
00:00
which is now identity-based authentication.
00:00
But now we need to do, at a minimum,
00:00
evaluation assurance level,
00:00
EA Level 4 in the common criteria.
00:00
Then we also need to make sure
00:00
that we're not going to have environmental failures.
00:00
Each of these security levels,
00:00
and if you remember anything about the security levels
00:00
related to crypto, they build on each other.
00:00
When I go from one to two,
00:00
I could use commercial.
00:00
I'm going to have to have
00:00
abdominal evidence of tampering.
00:00
If I go to Level 3,
00:00
I've got to have ceiling,
00:00
I've got to have evidence of tampering and now
00:00
I'm zerorization capable, etc.
00:00
Just keep that in mind that each of these is a build.
00:00
Crypto module interfaces.
00:00
We have data input, data output.
00:00
That's how we put data into
00:00
a module and that's how we get data out.
00:00
Think we're going to put in
00:00
the keys in, an information like that,
00:00
and the data output could be
00:00
the ciphertexts that comes out of the module.
00:00
Then we have the control input.
00:00
The control input is pretty straightforward.
00:00
These are the command signals: how do I
00:00
tell the crypto module what to do?
00:00
Then the last one is the status output,
00:00
and that's where we look at the indicators.
00:00
How is the module performing? Is it working?
00:00
Is it providing your status?
00:00
Does it give me an error?
00:00
Those are the interfaces you will
00:00
see with crypto modules.
00:00
We have three primary roles when we deal with crypto.
00:00
We've got a user role,
00:00
and so those are people that use the crypto module.
00:00
When we are talking crypto modules here,
00:00
we're thinking about some of the physical crypto modules.
00:00
We also see cryptography done
00:00
digitally and electronically
00:00
just like we're talking about here,
00:00
and the same kinds of things apply.
00:00
Don't think that we're not going to see these roles with
00:00
digital online cryptographic capabilities.
00:00
We have user roles. Most of us have done this user role.
00:00
If you've ever, [LAUGHTER] I don't know,
00:00
bought something from an e-commerce website and you
00:00
looked up in the left-hand side of the screen there
00:00
and you saw the lock,
00:00
well, guess what? You're a user role.
00:00
The crypto officer role is somebody that manages
00:00
the cryptographic keys and anything associated with that.
00:00
Then we have a maintenance role.
00:00
When we're thinking about physical cryptography devices,
00:00
the maintenance roles, these
00:00
are specially certified folks.
00:00
Cracking open a cryptographic device and
00:00
a physical cryptographic device usually is something that
00:00
needs specialized skills and certification because
00:00
potentially looking inside the device
00:00
could give away how the device works,
00:00
and so those folks are going to be specially certified.
00:00
Then we have two types of operator authentication.
00:00
We have role-based and identity-based.
00:00
Role-based is really simple.
00:00
I say that you're
00:00
a device operator and that's your role,
00:00
and when you log into, say,
00:00
a physical cryptographic device,
00:00
you're going to be able to say,
00:00
hey, I am a user,
00:00
and it allows you certain things you can do.
00:00
Identity-based obviously is
00:00
a much higher evaluation assurance level.
00:00
Identity-based one, I now have to prove,
00:00
so I came to IAAA
00:00
that I should be accessing this cryptographic device,
00:00
and that can be done via multiple ways,
00:00
but you're establishing your identity
00:00
from an operator perspective.
00:00
In this lesson, specifically talking
00:00
about FIPS 140 Tech 2,
00:00
we've talked about the different security
00:00
levels in that they're built,
00:00
we've talked about the different
00:00
kinds of interfaces we find,
00:00
we've talked about roles
00:00
within the physical cryptography space,
00:00
and we've talked about operator authentication,
00:00
whether it is a role-based or identity-based.
00:00
We'll see you next time in our module summary.
Up Next
Similar Content
