I'm bored and for some reason this NIST stuff is interesting. The question on this website was was from a company that built a cryptographic module for their product that used standard encryption algorithms. They asked wether it meant that they were NIST compliant because they used industry standards. Here was the response
"f you are using an AES library that has not undergone the FIPS validation process, then you are not FIPS compliant (or, at least, your use of AES is not).
FIPS compliant means more than "we use algorithms that FIPS likes", it means "having passed the FIPS certification process"; that is how NIST defines it.
Sorry, but NIST is quite strict about this; if you haven't undergone the full testing, then NIST is concerned that you haven't implemented AES correctly; there may be subtle bugs that affect the security. And, since NIST makes up the rules for what's "FIPS compliant", well, there's no point in arguing about its likelihood.
In addition, FIPS talks more than what algorithms you use; it also talks about health tests and key zeroization and other such things; the FIPS certification process checks all that as well.
If you need to be FIPS compliant, then your choices are:
The FIPS certification process is surprisingly complicated; I'd advise you to use a FIPS-certified library
- Use a FIPS-certified library to perform all the FIPS-approved crypto operations
- Go through the FIPS-certification process for your application (or, at least, the crypto pieces of your application).
I'm bored and for some reason this NIST stuff is interesting....
-
- There are more pages in this discussion • 48 more messages in this thread...
You’re viewing a single post only. To view the entire thread just sign in or Join Now (FREE)