Tech Talk
Understanding the Levels of Encryption
Last updated 4 January 2023
With the ever-increasing threat of cybercrime, more and more companies are looking to keep data secure on internal and removable storage devices. Unfortunately, there is no one solution that fits all. The Military has its own requirements as do financial institutions as do personal users. But what types of encryption are there? Below we list the encryption levels what they mean and the products we sell that have them.
FIPS 140-3
What is difference between FIPS 140-2 and 140-3?
FIPS 140-2 only addressed the security requirements after completion, but FIPS 140-3 now evaluates security requirements at all stages of cryptographic module creation - design, implementation, and final operational deployment. FIPS 140-3 now superseedes 140-2. Although no 140-3 have been granted thre is a period of transition until the 140-3 becomes the new standard.
FIPS 140-2
Probably one of the most common standards. The Federal Information Processing Standard 140-2 (FIPS 140-2) is a U.S. and Canadian co-sponsored security standard for hardware and software products.
FIPS 140-2 provides stringent third-party assurance of security claims for products sold in the United States and Canada. Products that are sold to the US Federal Government are required to complete FIPS 140-2 validation if they use cryptography in security systems that process sensitive but unclassified information.
FIPS 140-2 is gaining worldwide recognition as an important benchmark for encryption products of all kinds and is being reviewed by ISO to become an international standard. What is the difference between FIPS-compliant and FIPS validated? There is a substantial difference between claiming your product is FIPS 140-2 compliant versus FIPS 140-2 validated.
- FIPS Compliant refers to a product that has incorporated within its design another company’s cryptographic module that went through the FIPS validation process. It does not hold as much weight as being able to claim FIPS 140-2 Validation.
- FIPS Validated means the vendor has gone through the entire FIPS 140-2 evaluation process and has a certificate of their own issued by the government.
Levels of FIPS 140-2
Level 1: Requires production-grade equipment and externally tested algorithms.
Level 2: Adds requirements for physical tamper-evidence and role-based authentication. Software implementations must run on an Operating System approved by Common Criteria at EAL2.
Level 3: Adds requirements for physical tamper-resistance and identity-based authentication. There must also be a physical or logical separation between the interfaces by which “critical security parameters” enter and leave the module. Private keys can only enter or leave in encrypted form.
Level 4: This level makes the physical security requirements more stringent, requiring the ability to be tamper-active, erasing the contents of the device if it detects various forms of environmental attack
What does FIPS 140-2 cover?
FIPS 140-2 covers products using cryptography for secure remote management, data encryption, digital signatures, and information protection. FIPS 140-2 also requires features that show evidence of tampering, including tamper-evident coatings or seals that must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module, or pick-resistant locks on covers or doors to protect against unauthorised physical access.
What is the difference between FIPS 140-2 and FIPS 197?
FIPS 197 certification looks at the hardware encryption algorithms used to protect the data. FIPS 140-2 is the next, more advanced level of certification. FIPS 140-2 includes a rigorous analysis of the product’s physical properties. So, with a FIPS 140-2 certified USB Flash Drive, the tamper-proof design of the circuit board has been approved, as well as the data encryption.
What is AES encryption?
In 2001, the Advanced Encryption Standard, or AES encryption algorithm as it is commonly referred to, was accepted as the industry standard for secure data encryption by the U.S. National Institute of Standards and Technology (NIST). Developed by Vincent Rijmen and Joan Daemen, it is also called the RijnDael cipher (a cipher being a code which is used to hide the true message being sent). This method is now used worldwide, in both hardware and software alike.
AES encryption presents higher security than previous encryption standards as changing just one bit, whether in the key or text block, results in an incomprehensible cipher block. What this means to you and me, is that it prevents someone from working out the code by simply substituting one byte at a time and seeing what changes this makes to the message. This is actually one of the main reasons for developing a new encryption standard, as these ‘brute force’ attacks were relatively successful in cracking previous encryption algorithms.
Modern AES encryption uses 128, 192 or 256-bit keys. As we might expect, the higher the number of bits in the key, the more possible key combinations there are and therefore the harder the code is to crack. So why doesn’t everyone just use AES-256? Well, there is a trade-off between the speed at which your equipment can encrypt/decrypt information, the cost of the equipment which supports the increasing standards, and the level of security risk that the information carries. For most people, it is probably more cost-effective to use the lower-bit AES encryption options.
Is AES Secure enough?
While this makes it seem like AES-256 is the best option for everyone, it should be noted that not even AES-128 has ever been cracked by brute force. In fact, AES-128 is still used by governments to encrypt data up to the ‘Secret’ level. Only ‘Top Secret’ information is required to be encrypted with a minimum standard of AES-192. Though there have been successful attacks on AES, their success was due to exploiting weaknesses in the implementation of the standard rather than a weakness in the standard itself.
In short, if AES-128 is used by governments and military installations to encrypt ‘Secret’ classified information, it’s probably secure enough to keep your sales information safe from your average hacker. Furthermore, it has been calculated that it would take 1 billion, billion years for a supercomputer to crack the AES-128 algorithm using brute force. And how many hackers have access to a super-computer?