Just what is FIPS?

The U.S. Federal Information Processing Standard (FIPS), established by the U.S. National Institute of Standards and Technology (NIST), provides standards for minimum encryption methods and strengths for cryptographic modules within computer, networking and telecommunications systems. These modules’ functions include encryption and decryption of data, authentication of users’ identities via digital signatures, management of private keys, involve site and formatting, and hold personal identification information. FIPS specifies a dozen security attributes that must be met by these modules used inside the security system including physical, software and operating security, module interfaces, electromagnetic interference, key management, etc.
FIPS compliance is tested to ensure that a solution meets encryption strength requirements, and also passes stringent tests that detect a variety of flaws, including back doors and hard-coded keys. Specifically, FIPS-validated data transmission must use hash functions and algorithms approved by FIPS 140-2 and be validated by the Cryptographic Module Validation Program (CMVP). Several approved algorithm examples include AES (Advanced Encryption Standard), Triple DES that uses three keys for a total of 168-bit strength, and HMAC SHA-1 which is a cryptographic hash function that authenticates messages and is deployed in combination with a secret key.

It is important to note that many encryption algorithms in use are not acceptable. The original 56-bit DES encryption is deemed too weak; the often used MD5 for hashing contains flaws; and the CRC32 which is not deemed a true data encryption standard. Given the stringent requirements and the periodic “raising of the bar”, one must keep in mind the hardware deployed to ensure it is up to the task.

Who requires FIPS?

Traditionally FIPS was the purview of the Federal government. The military and its vendors, who often deal in sensitive national security information, are frequently required to abide by FIPS. Federal and state government agencies that deal with citizens’ private information must also comply. The Canadian government has policies requiring FIPS-validated software, and it cooperates with NIST in establishing FIPS standards. Government vendors who require privacy with regard to personal and financial information can include financial institutions, information-processing vendors, healthcare-related vendors, educational institutions, and utilities. Vendors who deal with national security commonly include manufacturers and a wide variety of military contractors.

In addition, the FIPS standard is relevant to companies not required to comply with government encryption regulations. Vendors, contractors, and any organization working with government or military must comply with FIPS as well. This is because FIPS validation involves subjecting software and hardware to rigorous testing to determine whether flaws are present. Hence, solutions without this validation are more likely to contain vulnerabilities. With the growing use of secure communications and the expansion of public/private transactions, FIPS is moving into the private sector as never before.

FIPS for multiple vertical markets

The need for security for Internet based commerce is growing exponentially. The drivers behind this growth are the increasing frequency and magnitude of security intrusions and the resulting loss of privacy costs to business and consumers and their financial impact. Estimates for secure Internet traffic exceed 40 percent of overall data transmissions. Given the dramatic growth of Internet traffic, this security based component is quite extensive.

Businesses from healthcare to banking to insurance are turning to the Web to grow their operations. SSL is the de-facto standard for secure Internet traffic with many of these markets, especially financial services, utilizing SSL for over 75 percent of their communications. While non-FIPS security solutions are prevalent, organizations are ramping up the use of FIPS; both as they increasingly deal with government agencies but also as a competitive advantage. Just one leak of confidential information could lead to tens of millions in compensation damages. Best practices going forward will more and more turn to FIPS.

The growth of secure Internet traffic seems to be matched by federal regulations over broad industry segments. Financial and healthcare businesses must comply with data privacy and security requirements led by Gramm-Leach-Bliley and Health Insurance Portability and Accountability Acts. These laws require companies to bolster the security of their network infrastructure to ensure the safety and privacy of confidential information.

It used to be that only data in-transit was the issue; now data at rest in back-end database and servers is the problem. To maintain security, it is imperative that the SSL Keys be protected, key generation be robust and the security apparatus reliable. To ensure this security provided by the SSL protocol, IT administrators are turning more and more to FIPS to ensure vendor security claims are valid. These tests make FIPS validation relevant not just to the government and military, but to all organizations looking for a secure file transfer solution.

New Citrix NetScaler FIPS appliance address any industry need

Citrix provides a full lineup of four FIPS 140-2 Level 2 compliant NetScaler MPX models. These solutions provide a broad range of features including DNSSec support, ICA rewrite, back-to-back re-encryption, the ability to disable selected SSL cryptographic sets via cipher bindings, private key shielding, and many more. Stay tuned for another blog on feature details!

Compliant to FIPS 140-2, the appliances include tamper-evident coatings/seals on the cryptographic module to require they be broken to attain physical access to plaintext keys and critical security parameters (CSP.) The models go beyond level 2 and provide, via Level-3 mandates, a bezel opening for the USB key to prevent intruders from gaining access to the CSPs. A tamper proof detection/response circuitry zeros all plaintext CSPs when the removable covers/doors of the module are opened. The models further provide role-based authentication whereby the module authenticates the authorization of an operator to assume a specific role and perform a defined set of services.

Despite the feature packed nature of the MPX models, performance and scalability was not forgotten. SSL traffic rates range from 1 Gbps on the MPX 9700 to over 4.5 Gbps on the MPX 15500. SSL transactions per second are supported to over 15,000. Even better, each of the models can be upgraded to the next higher throughput with a simple on-demand license upgrade. As your datacenter grow, there is no need for a forklift upgrade. No need to over-provision the datacenter. Scalability FIPS level security as never before.