Certification: A Quality Accolade
In This Chapter
4 Which certification schemes currently exist for HSMs
The benefits and downsides of HSM certifications
What you, as a user, must know about certifications
In order to assess the quality and security level of a device for the purposes of
information security, product companies can perform expert assessment and
subsequent certification in accordance with defined test regulations and requirement
lists. Addressing the issue of certification for HSMs is actually relatively
easy. Only two globally recognized certification schemes exist:
FIPS: The Federal Information Processing Standards Publications (FIPS
PUBS) is from the National Institute of Standards and Technology.
Common Criteria: The Common Criteria for Information Technology Security
Evaluation is an international standard for the testing and evaluation of
the security properties of IT products.
But certification isn’t as easy as it appears, because a broad array of diverse auditing
and certification schemes exists in different national industries. In the German
credit business, for example, separate requirements for HSMs exist for
deployment in monetary transaction networks. The payment card industry also
has its own definitions for HSMs.
The FIPS 140 Standard
You’ll find the body of requirements, rules and regulations for HSMs in the FIPS
140-2 standard. FIPS 140-2 is governed by the Cryptographic Module Validation
Programme (CMVP), a joint initiative by the U.S. and Canadian governments.
CMVP is a partnership initiated by the American National Institute of Standard
and Technology (NIST) and Canadian Communications Security Establishment
Canada (CSEC).
Within FIPS 140-2 there are four hierarchical security levels (1 – 4), as well as
specific certifications (FIPS 197 and so on). On every level a higher concentra-
27