The Wayback Machine - https://web.archive.org/all/20041015003751/http://www.entrust.com:80/resources/fips1401.htm
Login | Support | Help | Contact Us

About Entrust
Fact Sheet
History
Executives and Board
Investor Relations
News & Events
Careers
Awards
Third-Party Validation
Common Criteria Certification
FIPS 140-1
CygnaCom Solutions
Contact Us

Entrust Resources

FIPS 140-1 FAQ


  1. What is FIPS PUB 140-1? (view)
  2. Why is it important? (view)
  3. What does validation involve? (view)
  4. Does validation apply to software on a PC? (view)
  5. What value does validation offer? (view)
  6. Which versions of Entrust have received FIPS 140-1 validation? (view)
  7. How long does the validation process take? (view)
  8. Which laboratory performed the validation of Entrust? (view)
  9. Where can I find additional information on FIPS 140-1? (view)
1. What is FIPS PUB 140-1?

FIPS 140-1 Certificate: Click for a larger picture"FIPS PUB" is an abbreviation for Federal Information Processing Standards Publication and "140-1" designates a standard entitled "Security Requirements for Cryptographic Modules". It was produced by the U.S. National Institute of Standards and Technology (NIST) to lay out general requirements for cryptographic modules within computer and telecommunication systems. A cryptographic module is defined as any combination of hardware, firmware, or software that implements cryptographic functions such as encryption, decryption, digital signatures, authentication techniques and random number generation. The FIPS PUB 140-1 Security requirements cover 11 areas related to the design and implementation of a cryptomodule. Within most areas, a cryptomodule receives a security level rating (1-4, from lowest to highest), depending on what requirements are met.

2. Why is it important?

Information technology security professionals in the U.S. and Canadian Federal Governments, and industry, recognize that a cryptographic product can be securely used for protecting sensitive, unclassified information when the product is validated against the FIPS PUB 140-1 security requirements. Several organizations and agencies mandate that any new cryptographic product used to protect their information be validated to FIPS PUB 140-1. Both the U.S (NIST) and Canadian (CSE) Federal Governments have adopted FIPS PUB 140-1. The "Applicability" section of FIPS 140-1 states that:

""This standard is applicable to all Federal agencies that use cryptographic-based security systems to protect unclassified information within computer and telecommunication systems (including voice systems) that are not subject to Section 2315 of Title 10, U.S. Code, or Section 3502(2) of Title 44, U.S. Code. This standard shall be used in designing, acquiring and implementing cryptographic-based security systems within computer and telecommunication systems (including voice systems), operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer or telecommunications system) on behalf of the Federal Government to accomplish a Federal function. Federal agencies which use cryptographic-based security systems for protecting classified information may use those systems for protecting unclassified information in lieu of systems that comply with this standard. Non-Federal government organizations are encouraged to adopt and use this standard when it provides the desired security for protecting valuable or sensitive information." " 3. What does validation involve?

Validation testing for FIPS 140-1 falls under the Cryptographic Module Validation (CMV) Program, which is a program established by NIST and the Communications Security Establishment (CSE) of the Government of Canada. All of the tests under the CMV Program are handled by third-party laboratories that are accredited as Cryptographic Module Testing (CMT) laboratories by the National Voluntary Laboratory Accreditation Program (NVLAP). The vendor submits a sample of the product along with design documentation. The laboratory runs a series of tests on the product and examines the documentation to make sure it was designed according to the rules laid out in FIPS PUB 140-1. This process involves looking at the following aspects of the design:

  • Cryptographic Module Design and Documentation
  • Module Interfaces
  • Roles and Services
  • Finite State Machine Model
  • Physical Security
  • Software Security
  • Operating System Security
  • Cryptographic Key Management
  • Cryptographic Algorithms
  • Electromagnetic Interference/Electromagnetic Compatibility (EMC/EMI)
  • Self Tests
4. Does validation apply to software on a PC?

Yes. Validation applies to the cryptographic module as a whole. In the case of a PC running the Entrust cryptographic module program, the PC itself, the operating system, and the cryptographic software are all considered part of the module and are tested together.

5. What value does validation offer?

Because of the complex nature of cryptographic products, a user traditionally has little choice but to trust that the product is working as advertised and is actually protecting his or her data in a secure manner. Validation offers the comfort that an independent third party has examined the product in detail and ensures it complies with strict security requirements.

6. Which versions of Entrust have received FIPS 140-1 validation?

Entrust is an early adopter of the standard. Entrust 1.9 was the first product ever validated; the official certificate was awarded on October 12th, 1995 at the National Information Systems Security Conference in Baltimore. At the time of writing, Entrust has 6 cryptographic modules listed on the validation list. The latest version of Entrust has been validated to Level 2. Entrust has made the commitment to maintain its FIPS 140-1 validation status on all future major releases.

7. How long does the validation process take?

Typically, a validation can take between 3 months and a year or more. This depends greatly on the nature of the product being evaluated (hardware, firmware or software, how complex, how many algorithms, what programming language, etc.).

8. Which laboratory performed the validation of Entrust?

The first validation was done by the Canadian Government's Communications Security Establishment (CSE) in Ottawa. All the others were performed by NVLAP DOMUS IT Security Laboratory, also in Ottawa.

9. Where can I find additional information on FIPS 140-1?

The FIPS 140-1 standard, the Derived Test Requirements and validation process details can be found from the NIST web site at: http://csrc.nist.gov/cryptval/.
Site Map | Privacy Statement | Legal

Copyright 2004 Entrust. All rights reserved.