Question:
Are SSL Certificates FIPS 140-2 compliant?
Short Answer:
Yes-ish.
But FIPS pertains more to the actual physical protection of digital certificate cryptographic modules. If a certificate authority such as Entrust, or Comodo did not follow the guidelines set by FIPS 140-2 compliance then they would be out of business.
If you got a EV CodeSigning certificate you will definitely get a FIPS 140-2 compliant certificate. This is because the actual certificate is installed on a single FIPS accredited usb flash drive token.
More Information:
The FIPS – Federal Information Processing Standard was created by the National Institute of Standards & Technology (NIST) to address security concerns on cryptographic modules and how they are managed. Modules such as hardware, software, firmware, or a combination of the three that implements some form of cryptographic function (encryption, hashing, message authentication, or key management) This would pertain to how Keypairs are created, how Certificate Authorities sign SSL, Code Signing, Client, Email, or IoT (Internet of Things) certificates.
FIPS 140-2 is in reference to the module that will store sensitive information such as SSL or CodeSigning certificates tokens. When storing SSL Certificates, CodeSigning or Client ID certificates the FIPS standard also applies to the algorithm’s that module uses to create the key pair.
For Example when enrolling for a certificate the user chooses to store that certificate on a Rainbow 2032 USB token. That token is considered to be FIPS 140-2 compliant because an NVLAP accredited Cryptographic and Security Testing (CST) Laboratories performed conformance testing of this cryptographic module.
Once a Crytographic Module passes the Security Requirements for Cryptographic Modules the vendor of that Module is provided a FIPS 140-2 Validation Certificate. Each certificate has a unique Certificate Number.
For more information on these Validation Certificates refer to http://csrc.nist.gov/groups/STM/cmvp/validation.html
There are 4 levels that pertain to FIPS 140-2 compliance ranging from the encryption modules used to the actual physical security to how FIPS is implemented.
Level 1:
Security level 1 deals with the basic security requirements of the approved cryptographic modules and approved algorithms used for encryption mostly on the software level.
Level 2:
Security level 2 takes into account the physical security monitoring mechanisms behind Security level 1. Monitoring mechanisms such as evidence of tampering, like tamper-evident coatings or seals that must be broken to attain physical access to the cryptographic modules. An example of this would be the top of a Snapple bottle. If the top seal is already popped before you purchased it then it means the bottle has been tampered with compromising the enjoyable drink inside.
Level 3:
Security level 3 deal with even more physical security mechanisms that are intended to have a high probability of detecting and responding to attempts at physical access, use or modification of the cryptographic modules. The physical security mechanisms may include the use of strong building enclosures and tamper-detection/response circuitry. If there is a security compromise deletion of the cryptographic models will take place to ensure nothing is stolen.
Level 4:
Security level 4 deals with literal acts of god where the cryptographic modules are protected due to environmental conditions like flood, or voltage outages. These environmental conditions may be used by an attacker to thwart the cryptographic modules defenses. A cryptographic module is required to either include special environmental protection features designed to detect fluctuations, or to undergo rigorous environmental failure testing to provide a reasonable assurance that the module will not be affected by fluctuations outside of the normal operating range in a manner that can compromise the security.
Posted by:
Dominic Rafael
Senior Lead IT Engineer
Be sure to Subscribe!!