+ Reply to Thread
Results 1 to 1 of 1

Thread: FIPS 140-2 Certified Encryption FAQ

  1. Nick
    Nick is offline Dev
    Join Date
    Sep 2007
    Posts
    2

    FIPS 140-2 Certified Encryption FAQ

    This is a general post to explain the FIPS 140-2 certified encryption support in RPM.

    Is FIPS 140-2 certified encryption support available?
    The FIPS certified encryption library is available for download along with Random Password Manager for the product's download section. Random Password Manager must be configured to use it. This can be accomplished by navigating to SETTINGS | ENCRYPTION SETTINGS and selecting the check box to "Use FIPS 140-2 software provider if available.

    Why would I want to use FIPS 140-2 certified encryption?
    FIPS 140-2 certified encryption may be required for installations in primarily government organizations which require the use of FIPS 140-2. The encryption code is the same if you are using the built-in encryption or the FIPS 140-2 certified encryption; the FIPS 140-2 method simply uses the encryption procedures in a manner which is compatible with the certification.

    Is FIPS 140-2 certified encryption more secure?
    The short answer is: no. FIPS 140-2 certified usage requires using a module which has been certified as a stand-alone module. In our case, we are using the Crypto++ library with the exact same cryptography code internally and in the certified module. In the built-in case, the code is compiled into our application (which is not a certified usage); in the certified case, the code is being used through a call to an external dll (which has been certified). The certified usage case is slightly less secure, because it susceptible to replacement of the external dll, whereas changing the built-in cryptography would require modification to the application itself (which would invalidate the digital signature).

    How do I enable FIPS 140-2 certified encryption?
    First, you need to download and install the FIPS certified support library, which contains the add-on components necessary to support this mode (including the FIPS 140-2 certified Crypto++ module). Once this has been installed, you can simply select FIPS certified encryption from the Encryption Settings for stored passwords dialog. You can also require usage of the FIPS 140-2 provider (fail if not available) if you want, otherwise the application will default to the identical, but not FIPS 140-2 certified, internal code if the certified provider is not available.

    What is the FIPS 140-2 certificate number for your module?
    The certification # is 819.
    The certification for the module can be found at:
    http://csrc.nist.gov/groups/STM/cmvp.../140crt819.pdf
    More information about FIPS 140-2 certification can be found at:
    http://csrc.nist.gov/cryptval/140-2.htm
    Last edited by Chris; 01-05-2009 at 11:44 AM. Reason: software is released
    Reply With Quote Reply With Quote  
+ Reply to Thread
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules