Ask Our Experts (AOE) for Secure Elements: What is FIPS?
This post explains the FIPS standard and how FIPS-certified algorithms help increase the robustness of embedded security silicon products.
FAQs Video Series on Secure Elements
Watch the video or read the transcript:
Hi everyone, Ulises here for Microchip Technology. Welcome back to “Ask Our Experts,” a series of videos where we answer some Frequently Asked Questions (FAQs) on a diverse set of topics. Today's topic is again on secure elements. To help answer our question, we welcome back Todd Slack. So, let's get to it. Todd, what does it mean when a semiconductor states their product has Federal Information Processing Standards (FIPS) certification?
So, FIPS is more of a North American version of Joint Interpretation Library (JIL) and Evaluation Assurance Level (EAL) which ties into Common Criteria side. Common Criteria requirements are most popular in Europe. We see them also being adopted or required in some parts of Asia like Japan. FIPS, Federal Information Processing Standard, is a part of North American focus, although we're seeing these requirements pop up in South America and even Europe. This is a similar evaluation to Common Criteria in that they will evaluate your design processes, make sure that you have the right principles in place to protect all of your products, all of your assets within a device, and you can get different levels along the way.
FIPS 140-2 is transitioning to FIPS 140-3 and you have two major components within that. You have CAVP, which is the Cryptographic Algorithm Validation Program, which can verify that the algorithms that you've implemented will always have the expected output, and that they are implemented in a secure manner. That is a component of the larger Cryptographic Module Validation Program or CMVP. CMVP is where it takes the larger picture of your design principles coupled with the quality of your algorithms and then you can get a full module validation: level one, level two, or level three. The difference between those is really more associated with policy than security—how you enforce policies within a device associated with any individual versus the notion of an administrator, which would move you to level two, and then level three can bring things into enforcing things at the human level, a specific individual. So, many devices are mostly targeted at FIPS 140-2 module level two with the appropriate policies for administrative privileges. Then we get this augmented in our devices within the secure products group with physical security level three, which means that you have protected your keys at the highest level, much like we've talked about with JIL High.
Thanks, Todd. Good to see you again. For our viewers, make sure to check out our secure elements web page linked in the description below. And don't forget to subscribe to our YouTube channel below to be the first to know and we have more insights from our experts. We'll see you next time!