Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

We are in the processing to understand if our software applications is FIPS 140-

ID: 649481 • Letter: W

Question

We are in the processing to understand if our software applications is FIPS 140-2 compliant or not. Currently in our application, we are using our own implementation of AES algorithm. AES is a FIPS 140-2 compliant algorithm.

The question would be whether this would render our app not FIPS 140-2 compliant since we are not using FIPS validated library (Advanced Encryption Standard Algorithm Validation List) even though we are using a FIPS compliant cryptographical algorithm.

Again, we are not try to certify our application for FIPS 140-2, rather we just want to make sure that we are FIPS 140-2 compliant.

Explanation / Answer

If you are using an AES library that has not undergone the FIPS validation process, then you are not FIPS compliant (or, at least, your use of AES is not).

FIPS compliant means more than "we use algorithms that FIPS likes", it means "having passed the FIPS certification process"; that is how NIST defines it.

Sorry, but NIST is quite strict about this; if you haven't undergone the full testing, then NIST is concerned that you haven't implemented AES correctly; there may be subtle bugs that affect the security. And, since NIST makes up the rules for what's "FIPS compliant", well, there's no point in arguing about its likelihood.

In addition, FIPS talks more than what algorithms you use; it also talks about health tests and key zeroization and other such things; the FIPS certification process checks all that as well.

If you need to be FIPS compliant, then your choices are:

Use a FIPS-certified library to perform all the FIPS-approved crypto operations

Go through the FIPS-certification process for your application (or, at least, the crypto pieces of your application).

The FIPS certification process is surprisingly complicated; I'd advise you to use a FIPS-certified library.

Related Questions

We are going to create a MapSet data structure. You cannot use either a STL map
Question #3738524
We are going to create a simple resistance calculator. Your program should ask t
Question #3788296
We are going to develop a program that will handle a Golfer and his scores. The
Question #655283
We are going to develop a program that will handle a Golfer and his scores. The
Question #3692214
We are going to do more array practice but with arrays of Strings Write a class:
Question #3692664
We are going to do this exercise by writing the object that solves the problem f
Question #3573619
We are going to examine the expansion of a metal tube as it heats up. Why do mat
Question #1524917
We are going to find the condition necessary for (As we saw in class in general
Question #3214485
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
We are in the process of upgrading our webservers to support TLS 1.2 but I have
Next
We are interested in analyzing data related to car accidents, age, and gender. U

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.