Just because they use FIPS approved or validated algorithms doesn't mean they are FIPS validated modules. There is much more than just correctly implementing the algorithm to FIPS mode. Some that come to mind are zeroizing the key store if a tamper is suspected, or if account lock-out numbers are reached, etc. Depending on the level of validation physical keys (dongles, USB, smart cards) are needed to enable the device.
Most encryption products have the option of running in FIPS mode or non-FIPS mode. Generally FIPS modes are far more restrictive and slower than necessary for typical non-classified usage. But, if you are storing the root of your PKI on the disk, it would probably be considered a best practice. Eric Lengvenis Security Architecture This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ali, Saqib Sent: Thursday, May 01, 2008 2:55 PM To: fde Subject: [FDE] FIPS 140-2: When operated in FIPS mode? (Flagstone, Spyrus,Utimaco, Poinsect, MobileArmor) I was looking at the FIPS 140-2 Certificate[1] for the Stonewood's Flagstone product, and it has a clause that says "(When operated in FIPS mode)". What does this clause mean? I was under the impression that since Flagstone only implement FIPS validated encryption algorithms (128-bit AES CBC/ECB and ANSI X9.31 AES 128 bit RNG) there would no non-FIPS mode. I later found out that, Spyrus, Utimaco, Poinsect, MobileArmor have the same clause. 1. http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt779.pd f _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
