Federal Perspective: AES is just plaintext without FIPS 140-2

Federal Perspective: AES is just plaintext without FIPS 140-2

by Sean Cope
Even though the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) was issued over a decade ago, I recently ran across information security specialists who challenged the need for FIPS 140-2 validation as it applies to products that use the Advance Encryption Standard (AES) algorithm to perform cryptographic functions.

The debate circled around the notion that if the encryption module has been classified as using AES strength encryption, then why would there be a need to have it FIPS 140-2 certified. The cause for the debate circled around an inaccurate understanding of encryption strength verses cryptographic module validation.

From the National Institute of Standards and Technology (NIST) viewpoint, if an encryption module has not undergone the Cryptographic Module Validation Program (CMVP) then no matter what type of encryption algorithm and corresponding bit-strength is used, the information that the encryption is supposed to be protecting must be treated as if it were not protected.

NIST views invalidated cryptographic modules as providing zero protection for the information system. NIST elaborates on the point as stating that “…data would be considered unprotected plaintext” if an invalidated encryption module provided the encryption capabilities employed for use by the information system.

With NISTs clear guidance it is important to educate Program Management, Senior Level Executives, and security professionals alike that the FIPS 140-2 cryptographic module validation is one critical requirement that cannot be overlooked.

If you find yourself in a similar situation, point the person to NIST Cryptographic Module Validation Program (CMVP) – NIST CMVP and set the record straight.