How important is FIPS 140-2 Level 1 cert?

Perry E. Metzger perry at
Fri Dec 22 11:43:58 EST 2006

[I was asked to forward this anonymously. --Perry]

From: [Name Withheld]
To: cryptography at
Subject: Re: How important is FIPS 140-2 Level 1 cert?

Paul Hoffman <paul.hoffman at> wrote:

> At 11:25 AM -0500 12/21/06, Saqib Ali wrote:
> >If two products have exactly same feature set, but one is FIPS 140-2
> >Level 1 certified but cost twice. Would you go for it, considering the
> >Level 1 is the lowest.

> Assuming that the two products use Internet protocols (as compared to
> proprietary protocols): no. Probably the only thing that could
> differentiate the two is if the cheaper one has a crappy random number
> generator, the more expensive one will have a good one.

Actually you cant even guarantee that because the FIPS 140 requirements
for the ANSI X9.17/X9.31 PRNG include a pile of oddball things that made
sense for the original X9.17 use (where it was assumed the only source
of entropy was a DES3 key embedded in secure hardware) but are severe
restrictions on current implementations. As a result a FIPS 140-
certified key generator will be worse than a well-designed non-FIPS-140
one because the FIPS requirements prevent you from doing several things
that would improve the functioning like injecting extra entropy into the
generator besides the DES3 key. In addition since no two eval labs can
agree on exactly what is and isnt OK here its pretty much a crap-shoot
as to what you can get through. Ive heard stories from different vendors
of Lab B disallowing something that had already been certified by Lab A
in a previous pass through the FIPS process.

In terms of its value, particularly for level 1, what itll give you is
(1) protection from egregiously bad implementations (which a quick
source code check will do as well) and (2) the ability to sell to US
federal agencies. Beyond that I concur that 10 minutes of interop
testing with the standardised protocol of your choice (e.g. TLS, S/MIME,
IPsec) will give you more than FIPS 140 will since a run of TLS tests
much more of the crypto than FIPS 140 does.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list