Shopping on line can be easy, simple and save you lots of money. It can also take a lot of your time, frustrate you, and result in unwanted purchases. Now the same can be said for regular high street shopping, but with the vast opportunity presented by the Internet it will pay you to spend a few minutes reading this and understanding how to better optimize your Fips 140 shopping experience:

1. Compare - without doubt the biggest advantage that the Fips 140 offers shoppers today is the ability to compare thousands of Fips 140 at a time. This is a great thing, but not necessarily all the time! Too much can be daunting at times so take advantage of the great comparison sites and where possible let them do the hard work for you.

2. Research - if it has been said it will be on the internet. Ignorance is no longer a justifiable reason for buying the wrong thing. Take the time to research in detail everything that you could possible want to know about

3. Testimonials - don't know anybody that has bought a Fips 140? Wrong! If the Fips 140 is good the internet will let you know. Use the Internet as a friend and get testimonials before you buy.

4. Questions - Got a question about Fips 140 then search the Forums, FAQ's, Blogs etc. Don't be afraid to ask .....

5. Reputation - Never heard of the company selling Fips 140? Don't worry, no reason why you should know every company in the world, but you know someone that does! Use the internet to find out what people are saying about Fips 140 and build up a picture of their reputation for sales, returns, customer service, delivery etc.

6. Returns - still worried that even after all of the above your Fips 140 wont be what you want? Check out the returns policy. There is so much competition now that someone, somewhere is bound to offer the terms that you are comfortable with.

7. Feedback - happy with your Fips 140 then let people know, after all you are depending on others people input in your buying decision, so why not give a little back.

8. Security - check for the yellow padlock on the Fips 140 site before you buy, and the s after http:/ /i.e. https:// = a secure site

9. Contact - got a question about Fips 140, or want to leave a comment then check out the sites contact page. Reputable companies have them and respond.

10. Payment - ready to pay for your Fips 140, then use your credit card or PayPal! Be aware of companies that don't accept them, there may be genuine reasons but given the huge amount of choice you have when buying online there is no reason at all not to buy via credit card or PayPal.

The Federal Information Processing Standard 140 (Federal Information Processing Standard) are series of publications numbered 140 which are a United States government of the United States computer security standardization that specify requirements for cryptographic modules. As of 2006, the current version of the standard is FIPS 140-2, issued on 25 May 2001.

Purpose of FIPS 140 The National Institute of Standards and Technology (NIST) issued the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code.

User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations.

The CMVP (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.

Security levels FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". It does not specify in detail what level of security is required by any particular application.

• Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
• Level 2 adds requirements for physical tamper-evidence and role-based authentication.
• Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
• Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

Scope of requirements FIPS 140 imposes requirements in 11 different areas:

• Cryptographic module specification (what must be documented)
• Cryptographic module parts and interfaces (what information flows in and out, and how it must be segregated)
• Roles, services and authentication (who can do what with the module, and how this is checked)
• Finite state model (documentation of the high-level states the module can be in, and how transitions occur)
• Physical security (tamper-evident and Tamper resistance, and robustness against extreme environmental conditions)
• Operational environment (what sort of operating system the module uses and is used by)
• Cryptographic key management (generation, entry, output, storage and destruction of keys)
• Electromagnetic interference/Electromagnetic compatibility
• Self-tests (what must be tested and when, and what must be done if a test fails)
• Design assurance (what documentation must be provided to demonstrate that the module has been well designed and implemented)
• Mitigation of other attacks (if a module is designed to mitigate against, say, TEMPEST attacks then its documentation must say how)

Brief history FIPS 140-1, issued on 11 January 1994, was developed by a government and industry working group, composed of vendors and users of cryptographic equipment.The group identified the four "security levels" and eleven "requirement areas" listed above, and specified requirements for each area at each level.

FIPS 140-2, issued on 25 May 2001, takes account of changes in available technology and official standards since 1994, and of comments received from the vendor, tester, and user communities.

FIPS 140-3 is a new version of the standard which is currently under development.

FIPS 140-2 has been the main input document to the international standard International Organization for Standardization/International Electrotechnical Commission ISO/IEC 19790:2006 Security requirements for cryptographic modules issued on 1 March 2006.

External links

• Full text of FIPS 140-2
• General information about Federal Information Processing Standards; includes pointers to FIPS 140-2 and its annexes
• List of FIPS 140-2 Testing Labs
• Opensource FIPS 140-2 Validation Project for Mozilla NSS

The Federal Information Processing Standard 140 (Federal Information Processing Standard) are series of publications numbered 140 which are a United States government of the United States computer security standardization that specify requirements for cryptographic modules. As of 2006, the current version of the standard is FIPS 140-2, issued on 25 May 2001.

Purpose of FIPS 140 The National Institute of Standards and Technology (NIST) issued the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140 does not purport to provide sufficient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code.

User agencies desiring to implement cryptographic modules should confirm that the module they are using is covered by an existing validation certificate. FIPS 140-1 and FIPS 140-2 validation certificates specify the exact module name, hardware, software, firmware, and/or applet version numbers. For Levels 2 and higher, the operating platform upon which the validation is applicable is also listed. Vendors do not always maintain their baseline validations.

The CMVP (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.

Security levels FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4". It does not specify in detail what level of security is required by any particular application.

• Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
• Level 2 adds requirements for physical tamper-evidence and role-based authentication.
• Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
• Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

Scope of requirements FIPS 140 imposes requirements in 11 different areas:

• Cryptographic module specification (what must be documented)
• Cryptographic module parts and interfaces (what information flows in and out, and how it must be segregated)
• Roles, services and authentication (who can do what with the module, and how this is checked)
• Finite state model (documentation of the high-level states the module can be in, and how transitions occur)
• Physical security (tamper-evident and Tamper resistance, and robustness against extreme environmental conditions)
• Operational environment (what sort of operating system the module uses and is used by)
• Cryptographic key management (generation, entry, output, storage and destruction of keys)
• Electromagnetic interference/Electromagnetic compatibility
• Self-tests (what must be tested and when, and what must be done if a test fails)
• Design assurance (what documentation must be provided to demonstrate that the module has been well designed and implemented)
• Mitigation of other attacks (if a module is designed to mitigate against, say, TEMPEST attacks then its documentation must say how)

Brief history FIPS 140-1, issued on 11 January 1994, was developed by a government and industry working group, composed of vendors and users of cryptographic equipment.The group identified the four "security levels" and eleven "requirement areas" listed above, and specified requirements for each area at each level.

FIPS 140-2, issued on 25 May 2001, takes account of changes in available technology and official standards since 1994, and of comments received from the vendor, tester, and user communities.

FIPS 140-3 is a new version of the standard which is currently under development.

FIPS 140-2 has been the main input document to the international standard International Organization for Standardization/International Electrotechnical Commission ISO/IEC 19790:2006 Security requirements for cryptographic modules issued on 1 March 2006.

External links

• Full text of FIPS 140-2
• General information about Federal Information Processing Standards; includes pointers to FIPS 140-2 and its annexes
• List of FIPS 140-2 Testing Labs
• Opensource FIPS 140-2 Validation Project for Mozilla NSS

FIPS 140 - Wikipedia, the free encyclopedia
The Federal Information Processing Standard 140 (FIPS) are series of publications numbered 140 which are a U.S. government computer security standards that specify requirements for ...

FIPS 140-2 - Wikipedia, the free encyclopedia
The Federal Information Processing Standard (FIPS) Publication 140-2, FIPS PUB 140-2, is a U.S. government computer security standard used to accredit cryptographic modules.

Fips 140 - nCipher
nCipher Fips 140 develops secure cryptographic hardware solutions for protecting organizations information data against invasion and data theft. See how it can help your business

NIST, Computer Security Division, Computer Security Resource Center
FIPS 140--3: Jul 13, 2007: DRAFT Security Requirements for Cryptographic Modules fips1403Draft.pdf: FIPS 140--2: May 2001: Security Requirements for Cryptographic Modules

FIPS 140 | RSA Information Security Glossary
Federal Information Processing Standard (FIPS) 140, titled ... Federal Information Processing Standard (FIPS) 140, titled “Security Requirements for Cryptographic Modules” is ...

FIPS 140-1 and FIPS 140-2 - Thales Esecurity
FIPS 140 - Thales Esecurity ... Standards and Approvals: FIPS 140-1 and FIPS 140-2 Overview: Initially developed for US Federal agencies using cryptographic based ...

FIPS 140 NIST
Thales e-Security an established world leader in cryptographic security products and solutions for electronic payments, network security and the secure exchange of value ...

FIPS 140-2
The Federal Information Processing Standard (FIPS) Publication 140-2 1, called Security Requirements for Cryptographic Modules, is a United States security standard used to certify ...

Links » FIPS 140 Again
Apparently, we have FIPS-140 certificate number 642 for OpenSSL. I’d say I’ll believe it when I see it, but I’m not sure there’s any more to see…

Links » OpenSSL FIPS 140
It has been reported here and there that OpenSSL finally has its FIPS 140 certification. I haven’t actually seen the certificate, and seeing is believing.