Swapneela Unkule, atsec information security. Customers interested in using FIPS 140-2 validated Modules refer to the module validation list. It is often observed that for selection of a product, FIPS certification is considered an item on the checklist, and the customer is unaware of the distinctions between the products from the FIPS standard point of view; rating all the validated modules at the same level. This presentation aims to explain significance of each field listed on the FIPS certificate. Even within the validated modules, it is necessary to understand the difference based on security & section levels, caveats present, operational environment used, etc. Some examples:
1) 2 software modules validated at level 1, where one has a caveat of “No assurance of generated keys” and another has no caveat are very different in terms of security provided
2) 2 hardware modules validated at level 2, out of which one has the physical security validated at level 3 carries more weight.
This presentation will also suggest some directions for customers to incorporate the validated module in their product. Some examples:
1) Referring to the User Guidance to correctly operate the module
2) Understanding the categorization of the algorithms (allowed/non-compliant/non-approved) 3)Option of contacting the module vendor to perform 1SUB to cover additional platform.
By understanding the significance of different fields on the certificate will enable customers to make the appropriate choice to fulfill their needs.