Mind the Gap: Updating FIPS 140 Steve Weingart Futurex 864 Old Boerne Rd. Bulverde, TX 78163 [email protected] Steve R. White IBM Thomas J. Watson Research.

Mind the Gap: Updating FIPS 140Mind the Gap: Updating FIPS 140

Steve WeingartSteve WeingartFuturexFuturex

864 Old Boerne Rd.864 Old Boerne Rd.Bulverde, TX 78163Bulverde, TX 78163

[email protected]

Steve R. WhiteSteve R. WhiteIBM Thomas J. Watson Research CenterIBM Thomas J. Watson Research Center

P.O. Box 704P.O. Box 704Yorktown Heights, NY 10598Yorktown Heights, NY 10598

[email protected]@watson.ibm.com

Outline

HistoryHistory

FED Standard 1027FED Standard 1027

FIPS 140 – 1FIPS 140 – 1

LevelsLevels

Changes in TechnologyChanges in Technology

Changes in Standards and the EnvironmentChanges in Standards and the Environment

Proposal: Level 3.5Proposal: Level 3.5

Discussion/QuestionsDiscussion/Questions

History Federal Standard 1027 was primarily a hardware Federal Standard 1027 was primarily a hardware

standard for line encryption devices using single DESstandard for line encryption devices using single DES NIST developed FIPS 140 as a replacementNIST developed FIPS 140 as a replacement

It is more generalized. It is more generalized. It accepts both hardware and software implementationsIt accepts both hardware and software implementations It has the 11 criteria that cover the complete designIt has the 11 criteria that cover the complete design

During the development of FIPS 140 a level based During the development of FIPS 140 a level based system was proposed and acceptedsystem was proposed and accepted

FIPS 140-1 was made official in 1994FIPS 140-1 was made official in 1994 It became widely acceptedIt became widely accepted

FIPS 140-2, the first update, was made official in FIPS 140-2, the first update, was made official in 20012001

Things have changedThings have changed Both attack and defense technologies have Both attack and defense technologies have

improvedimproved Industry needs & requirements have changedIndustry needs & requirements have changed The standard, and its applicability, evolvesThe standard, and its applicability, evolves

History (cont)

Original proposed six level system

Level Name Description

1 None The attack can succeed “by accident” without the attacker necessarily being aware that a defense was intended to exist. No tools or skills are needed.

2 Intent The attacker must have a clear intent in order to succeed. Universally available tools (e.g. screwdriver, nail file) and minimal skills may be used.

3 Common Tools Commonly-available tools and skills may be used (e.g. those tools available from retail department or computer stores).

4 Unusual Tools Uncommon tools and skills may be used, but they must be available to a substantial population (e.g. lock pick, logic analyzer; hardware and software debugging skills, electronic design and construction skills). Typical engineers will have access to these tools and skills.

5 Special Tools Highly specialized tools and expertise may be used, as might be found in the laboratories of universities, private companies, or governmental facilities. The attack requires a significant expenditure of time and effort.

6 In Laboratory A successful attack would require a major expenditure of time and effort on the part of a number of highly qualified experts, and the resources available only in a few facilities in the world.

FIPS 140, 4 level system

Level Physical Security Design Assurance

1 Production grade equipment. Configuration management (CM). Secure installation and generation. Design and policy correspondence. Guidance documents.

2 Locks or tamper evidence. CM system. Secure distribution. Functional specification.

3 Tamper detection and response for covers and doors, epoxy potting

High-level language implementation.

4 Tamper detection response envelope. EFP or EFT.

Formal model. Detailed explanations (informal proofs). Preconditions and postconditions.

Changes Attack Technologies have developedAttack Technologies have developed

The Internet has become a forum for developmentThe Internet has become a forum for development Script Kiddies can obtain and try many software attacks Script Kiddies can obtain and try many software attacks

beyond their skill level beyond their skill level Expensive tools that were difficult to obtain are now Expensive tools that were difficult to obtain are now

availableavailable SEMSEM FIBFIB NC MachiningNC Machining

Defense technologies have held up, mostlyDefense technologies have held up, mostly Not a great deal of new developmentNot a great deal of new development That is mostly OK, since the higher levels have heldThat is mostly OK, since the higher levels have held

Changes (cont)

The customer population has become larger and The customer population has become larger and more sophisticatedmore sophisticated Banking and FinancialBanking and Financial USPSUSPS

In General FIPS 140 has become accepted ‘Due In General FIPS 140 has become accepted ‘Due Diligence’Diligence’ for commercial cryptographic devicesfor commercial cryptographic devices

This has spotlighted some need for change in the This has spotlighted some need for change in the standardstandard

The Gap FIPS 140 has 4 levelsFIPS 140 has 4 levels

These 4 levels correspond roughly to levels 1, 2, These 4 levels correspond roughly to levels 1, 2, 3 & 6 from the originally proposed system3 & 6 from the originally proposed system

So, there is a large gap between level 3 and So, there is a large gap between level 3 and level 4level 4

A typical level 3 device can cracked in a few A typical level 3 device can cracked in a few hours by anyone with reasonable skillshours by anyone with reasonable skills

No level 4 device has been cracked publicly No level 4 device has been cracked publicly But, the level 4 requirements are so difficult But, the level 4 requirements are so difficult

that there are almost no level 4 devicesthat there are almost no level 4 devices

The Gap

0

50

100

150

200

250

Level 1Level 2 Level 3Level 4

Validations

The Gap There are 179 level 1 validations, 247 level 2 There are 179 level 1 validations, 247 level 2

validations, 120 level 3 validations & 11 level 4 validations, 120 level 3 validations & 11 level 4 validations (557 total)validations (557 total)

Of the level 4 devices, about half are unique, the Of the level 4 devices, about half are unique, the rest are delta/re-validations.rest are delta/re-validations.

Level 4 is too difficult develop, and too expensive Level 4 is too difficult develop, and too expensive to manufacture for most vendorsto manufacture for most vendors

But industry requirements need more than level 3 But industry requirements need more than level 3 USPS and ANSI both require tamper detection, USPS and ANSI both require tamper detection,

UPSP requires EFT/EFPUPSP requires EFT/EFP We need something newWe need something new

The Proposal

Level 3.5Level 3.5 Essentially level 3 plus:Essentially level 3 plus: Tamper detection requiredTamper detection required

1 – 1.25 mm max undetected 1 – 1.25 mm max undetected hole hole

Same as level 4 for single chipSame as level 4 for single chip EFT/EFPEFT/EFP Informal modelingInformal modeling

Meet new & emerging requirements for security Meet new & emerging requirements for security that is stronger than level 3that is stronger than level 3

Avoid the most difficult requirements of level 4:Avoid the most difficult requirements of level 4: Formal modelingFormal modeling Any/All tamper detection envelopeAny/All tamper detection envelope

This level of security is reasonable to develop and This level of security is reasonable to develop and manufacturemanufacture

The Advantages

Questions?

Thank You!Steve WeingartSteve Weingart

[email protected]

Steve R. WhiteSteve R. White

[email protected]@watson.ibm.com