FIPS 140-2 is a US government standard that specifies security requirements for cryptographic modules, such as hardware security modules (HSMs) and software libraries, that are used to protect sensitive information. FIPS 140-2 Level 2 is a security certification that requires cryptographic modules to meet the following security features:
- Tamper Evidence: The cryptographic module must be designed to indicate when it has been tampered with or accessed in an unauthorized manner. This may be accomplished by using sensors that detect physical tampering, or by using cryptographic algorithms that detect changes in the module’s state.
- Role-Based Access Control: The cryptographic module must have a mechanism for restricting access to sensitive information based on the roles and privileges of the users or applications that are accessing it.
- Cryptographic Key Management: The cryptographic module must have a mechanism for generating and storing cryptographic keys in a secure manner, and for ensuring that the keys are used only for their intended purpose.
- Cryptographic Algorithms: The cryptographic module must use approved cryptographic algorithms to protect sensitive information, and must ensure that the algorithms are used correctly and securely.
- Physical Security: The cryptographic module must be installed in a secure environment, such as a secure data center, and must be protected from physical attacks, such as by using physical barriers or security guards.
Examples of cryptographic modules that are FIPS 140-2 Level 2 certified include HSMs from vendors like Gemalto, Thales, and SafeNet. These HSMs are used in a variety of applications, such as:
- Secure Communications: HSMs are used to protect the encryption keys that are used to secure communications, such as virtual private networks (VPNs) and secure email.
- Payment Processing: HSMs are used to protect the encryption keys that are used to secure credit card transactions and other financial transactions.
- Government Applications: HSMs are used to protect sensitive information in government applications, such as secure communications, military systems, and law enforcement applications.
By using FIPS 140-2 Level 2 certified cryptographic modules, organizations can ensure that their sensitive information is protected against tampering and unauthorized access, and that only authorized users and applications are able to access it. This helps to prevent data breaches, identity theft, and other security threats.
