NIST Seeks Comments on Cryptography Standards Publication
by NIST PBA December 17, 2009
The National Institute of Standards and Technology (NIST) has released for public comment a new revision of one of its key computer security documents, a set of information processing standards governing the use of cryptographic modules by civilian federal agencies and government contractors.
The NIST document, the Revised Draft of Federal Information Processing Standards (FIPS) 140-3, updates the federal government's guiding document for testing and validation of cryptographic modules, which are computers' primary line of defense for confidential data. Each module receives a security level rating that depends on the amount of protection it provides. The revised draft of FIPS 140-3 will be available for public comment until March 11, 2010.
The Revised Draft reintroduces the notion of a cryptographic module made with "firmware" (software only a manufacturer can alter) and defines the security requirements for it.
It also removes the requirement for a manufacturer to provide a formal model of the cryptographic module and the details of its operation in order for it to attain the highest security level rating.
Requirements now exist at higher security levels for mitigating non-invasive attacks, which can find the keys to access a secure system not by analyzing encrypted data, but by measuring other operating characteristics, such as precise power consumption.
Any interested party is invited to comment on the Revised Draft.