开发者

What does it mean for an application to be FIPS 140 compliant?

Is it as simple as using FIPS 140 compliant crypto providers or is there more to it? Are there differences if it is a web app vs a windows app? What 开发者_运维百科if it is a distributed app? Are there any special considerations for IIS, WCF, ASP.Net, Silverlight, AJAX, etc?

Thanks


FIPS is a series of standards followed by the U.S. government regarding information security. There are policies, practices etc. In order to qualify to be compliant you have to make sure that you only use certain algorithms, the hardware and software you use must be deemed compliant etc.

Is it as simple as using FIPS 140 compliant crypto providers or is there more to it?

It depends on each specific scenario, but yes it can be. For example, if certain routers you use are 140-2 compliant then your application behind them can get exemption of going through parts of the process, because the hardware you use accomplishes the same task the certification requires. For example, we use the F5 Big IP to handle a lot of our SSL etc., because they have gone through the certification process. Our other systems may be able to do the same thing, but it means we don't have to go through the approval process, which is long and painful.

http://en.wikipedia.org/wiki/FIPS_140

I think these are the links which talk about accreditation:

http://csrc.nist.gov/groups/STM/index.html

http://csrc.nist.gov/groups/STM/cmvp/index.html


It's a government standard for cryptographically secure systems. It defines the practices, policies, tests, and in some cases hardware that a system must comply with to be consider compliant. You can read more about it at http://en.wikipedia.org/wiki/FIPS_140.

http://csrc.nist.gov/publications/PubsFIPS.html is a good resource for the general FIPS specs and requirements.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜