What is FIPS 140-2?
FIPS 140-2 is a U.S. government standard that defines security requirements for cryptographic modules used in federal systems. It establishes four security levels with increasing requirements for physical security, authentication, and tamper resistance.
Cryptographic Module Definition
According to the standard:
A cryptographic module shall be a set of hardware, software, firmware or some combination thereof that implements cryptographic functions or processes, including cryptographic algorithms and, optionally, key generation, and is contained within a defined cryptographic boundary.
In simpler terms: Any component (hardware, software, or hybrid) that performs encryption, decryption, or key management functions.
Security Levels Overview
FIPS 140-2 defines four progressive security levels, each building upon the previous level’s requirements:
Security Level 1: Basic Cryptographic Security
Purpose: Provides basic cryptographic protection with minimal physical security requirements Requirements:
- Implements approved cryptographic algorithms
- Can be software or hardware-based
- No physical security requirements
- Suitable for environments where physical access is controlled by other means
Use Cases: Software applications, basic encryption libraries
Security Level 2: Enhanced Physical Security
Purpose: Adds physical tamper-evidence to detect unauthorized access attempts Requirements:
- All Level 1 requirements, plus:
- Tamper-evidence mechanisms:
- Tamper-evident coatings or seals
- Pick-resistant locks on removable covers or doors
- Role-based authentication (authorization)
- Evidence of tampering must be detectable
Use Cases: Network appliances, secure tokens, smart cards
Security Level 3: Active Tamper Response
Purpose: Prevents access to critical security parameters through active detection and response Requirements:
- All Level 2 requirements, plus:
- Strong physical enclosures
- Tamper detection/response circuitry that automatically zeroizes (securely deletes) all plaintext critical security parameters when intrusion is detected
- Identity-based authentication required (not just role-based)
- Active protection against physical attacks
Use Cases: High-security network devices, payment processing systems
Security Level 4: Maximum Physical Security
Purpose: Highest level of security for operation in physically unprotected environments Requirements:
- All Level 3 requirements, plus:
- Complete physical protection envelope around the cryptographic module
- Detects and responds to ALL unauthorized physical access attempts
- Immediate zeroization of all plaintext critical security parameters upon any intrusion
- Environmental protection against temperature fluctuations, voltage variations
- Penetration testing resistance
Use Cases: Military systems, high-value financial transactions, classified environments
Key Concepts
Critical Security Parameters (CSPs)
- Cryptographic keys
- Authentication data
- Other security-related information that, if disclosed or modified, could compromise system security
Zeroization
- Secure deletion method that overwrites sensitive data multiple times
- Ensures that deleted cryptographic material cannot be recovered
- Required response to tamper detection in Levels 3 and 4
Authentication vs. Authorization
- Authentication (Level 3+): Verifying the identity of a specific user
- Authorization (Level 2+): Verifying that a user has permission to perform specific actions
Practical Implications
For Developers
- Understand which FIPS level your application requires
- Use FIPS-validated cryptographic libraries when building for government systems
- Consider the operational environment when selecting security levels
For System Administrators
- FIPS compliance may be required for government contracts
- Higher levels require specialized hardware and operational procedures
- Regular auditing and validation may be necessary
Compliance Requirements
- Many U.S. government agencies require FIPS 140-2 validated cryptographic modules
- Some private sector industries (healthcare, finance) may also require FIPS compliance
- Validation is performed by accredited testing laboratories
Quick Reference
| Level | Physical Security | Authentication | Key Protection | Use Case |
|---|---|---|---|---|
| 1 | None required | Not specified | Software protection | General applications |
| 2 | Tamper-evident | Role-based | Enhanced software | Network devices |
| 3 | Tamper-responsive | Identity-based | Active zeroization | Secure systems |
| 4 | Complete envelope | Identity-based | Immediate zeroization | Military/classified |