Encryption is key to keeping sensitive data protected. However, there are a number of algorithms available as well as varying capabilities for providing encryption. As a result, it is inevitably challenging to know which algorithm and security standard to use. To establish standards vendors can rely on, the U.S. government and its National Institute of Standards (NIST) has established FIPS 140-2. FIPS 140-2 defines the critical security parameters vendors must use for encryption before selling into the U.S government.
What is FIPS 140-2?
Federal Information Processing Standards (FIPS) 140-2 is a U.S. government standard used to approve cryptography modules. Cybersecurity companies looking to sell into regulated industries implement these standards. Accredited third-party labs validate the actual implementations of these algorithms.
As the FIPS 140-2 standard has grown in popularity, it has been adopted by other organizations and governments as well. These many organizations see FIPS 140-2 as the certification to prove the functionality and effectiveness of the cryptography modules they implement.
FIPS 140-2 is required when working with the United States Government
The Federal Information Security Management Act (FISMA) dictates that U.S. government agencies must use FIPS 140-2 validated cryptography modules. U.S. government contractors and third parties working for federal agencies are also required to use FIPS 140-2. Since FIPS 140-2 sets a high security benchmark, other industries such as healthcare and finance are also adopting the standard for securing their sensitive data.
FIPS 140-2 cryptography requirements and validation process
FIPS 140-2 requires that any hardware or software cryptographic module implements algorithms from an approved list. The FIPS validated algorithms cover symmetric and asymmetric encryption techniques as well as use of hash standards and message authentication. If a cryptographic module does use algorithms from the NIST FIPS list, the module cannot be considered for validation.
FIPS 140-2 validation process often takes years. However, the first step to ensuring validation is to use algorithms for FIPS compliance from the approved list. A full list of algorithms that can be considered for validation is available here.
PreVeil supplements FIPS 140-2 algorithms with community-approved algorithms
For PreVeil, adopting FIPS 140-2 compliant algorithms has required us to supplement our encryption schemes. We have updated the algorithms for both our asymmetric as well as our symmetric encryption algorithms. We have replaced XSalsa-20 with AES-256 for our symmetric encryption algorithm. Additionally, we have also implemented Curve P-256 into our asymmetric cryptography.
There is a lot of community discussion regarding the protection P-256 provides. In particular, some in the security field are concerned that Curve P-256 is weaker than the Curve-25519 algorithm currently used by PreVeil. Unfortunately, Curve P-25519 is not on the FIPS 140-2 approved list.
To satisfy the community as well as ensure the peace of mind Curve 25519 provides, PreVeil has implemented both Curve P-256 and Curve-25519 algorithms. As a result, all asymmetric cryptography in PreVeil’s platform is protected by both instead of one or the other.
The implementation of the FIPS 140-2 standards has not changed how PreVeil implements encryption. We continue to use the gold standard of end-to-end encryption for securing emails and files. This standard ensures that only the sender and recipient(s) can ever see the data. Servers storing the data or networks transmitting the data can never read the encrypted data.
Implementing the NIST approved encryption algorithms allows regulated industries and government agencies to be confident in adopting PreVeil for securing their sensitive data. PreVeil’s compliance with FIPS 140-2 is the first important step in our FIPS journey.