IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [fips]

Federal Information Processing Standards (FIPS) are a set of US government security standards.

99 questions
99
votes
5 answers

What is the benefit of having FIPS hardware-level encryption on a drive when you can use Veracrypt instead?

The expensive one: https://www.dustinhome.se/product/5010873750/ironkey-basic-s1000 The cheap one: https://www.dustinhome.se/product/5010887912/datatraveler-100-g3 Over 14,000 SEK difference in price. Same company (Kingston). Same USB standard (3).…
Taeyang
  • 477
  • 1
  • 3
  • 4
28
votes
1 answer

OpenSSL vs FIPS enabled OpenSSL

A deceptively simple question. How does OpenSSL compare to FIPS enabled OpenSSL? Is it any less secure? How do I tell? If I were concerned about security, not the NIST standard, is there any real benefit in adhering to FIPS 140-2 standard…
ILIV
  • 383
  • 1
  • 3
  • 6
15
votes
4 answers

Question of importance of FIPS in security implementations

I am by far, no security expert but I experience on the subject working in Java (JCA,JCE and JSSE). Anyway, recently there was a discussion about FIPS compliance. I looked into this and SUN's libraries are not FIPS compliant per se. Additionally,…
Jim
  • 1,395
  • 4
  • 13
  • 18
14
votes
2 answers

Why should I choose SHA (such as SHa-512), instead of bcrypt or PBKDF2, for FIPS-compliance?

Due to regulation, my company needs to be FIPS-compliant. I was looking at the current list of FIPS-approved cryptographical methods and I notice that neither bcrypt or PBKDF2 are in this list. Does that mean I should use salted SHA-512 for…
John Assymptoth
  • 241
  • 2
  • 5
13
votes
2 answers

Are TPM chips or the equiavlent required for FIPS 140-2 security level 1 compliance?

A 'TPM chip' is: a secure cryptoprocessor that can store cryptographic keys that protect information FIPS 140-2 requires a cryptographic module, which can be hardware, software, or both that have been certified. If I was using Bitlocker as a…
Mark Rogers
  • 508
  • 3
  • 18
10
votes
1 answer

TPM support with OpenSSL FIPS Object Module

How can I use a TPM chip along with the OpenSSL FIPS Object Module without modifying OpenSSL FIPS Object Module (to avoid Private Label certification)? Should we add an engine interface in OpenSSL module as well in OpenSSL FIPS Object Module?
user50392
  • 101
  • 3
10
votes
2 answers

Is cloud hosting allowed for FIPS 140-2?

I am in the very early stages of making my application FIPS 140-2 compliant... so early in fact that I am not sure what level it has to be... just writing a preliminary recommendations document at this point. However, I am fairly certain that the…
TheCatWhisperer
  • 406
  • 1
  • 5
  • 12
8
votes
3 answers

Are RADIUS and TACACS+ Ever Allowed in FIPS 140-2 Compliant Scenarios?

Are RADIUS and TACACS+ Ever Allowed in FIPS 140-2 Compliant Scenarios? I understand that RADIUS uses the MD5 hashing algorithm and I'm pretty sure TACACS+ does too, and I do not believe there is any implementation of either RADIUS or TACACS+ that…
Ryan Ries
  • 949
  • 1
  • 10
  • 14
8
votes
1 answer

What needs to be encrypted for FIPS 140-2 compliance?

We're developing a Client/Server C# .NET application that needs to be FIPS compliant.Im reading a lot about FIPS online, but am having a bit of difficulty determining the difference between the compliance of the encryption algorithm chosen, and what…
DTI-Matt
8
votes
2 answers

Is BitLocker on a virtual machine still FIPS 140-2 compliant?

BitLocker can be used as a cryptographic module to fulfill FIPS 140-2 security level 1 compliance. In a common setup, USB thumb drives can be used to unlock drives encrypted by BitLocker on startup. What if the encrypted drive is on a virtual…
Mark Rogers
  • 508
  • 3
  • 18
7
votes
3 answers

Android and FIPS

I've recently been tasked with a research project to write a "secure messaging application" using "government approved protocols" (the government being the USA). I'm taking this to mean asymmetric encryption and government approved cryptographic…
Mark
  • 191
  • 1
  • 5
6
votes
2 answers

FIPS 140-2 Compliance vs Validation & Products vs. Modules vs. Ciphers

Some vendors appear to advertise their products as using "FIPS 140-2 compliant algorithms & ciphers". However, some of these products cannot be found on the NIST website that lists validated cryptographic modules. What does this really mean for…
Iszi
  • 26,997
  • 18
  • 98
  • 163
6
votes
5 answers

Role vs Identity based authentication? What is the difference?

What is the difference between role-based authentication and identity-based authentication? If a system uses ONLY a password mechanism to authenticate operators (different PIN for Admin and User) it is said to use “identity” or “role-based”…
TonyTon
  • 61
  • 1
  • 1
  • 3
6
votes
1 answer

FIPS 140-1 and FIPS 140-2

I tried googling for this info but it's not easily available because FIPS 140-1 is now really old. Does FIPS 140-2 automatically cover FIPS 140-1 - i.e. if a device (in my case an HSM - Hardware security Module) is FIPS 140-2 Level 1 Compliant -…
user93353
  • 1,982
  • 3
  • 19
  • 33
6
votes
2 answers

A SW system constructed with Microsoft CNG can be FIPS 140-2 Level 2 Compliant?

We have to design and construct a system that signs files with sensible data, like evidences/proofs. The sign process is simple, basically calculate MD5 of the file content and encrypt the MD5 result with 3DES. The problem is primary the key storage…
David Oliván
  • 205
  • 1
  • 5
1
2 3 4 5 6 7