Good Things Fall Apart

CAVP, CMVP, FIPS 140–3, and why we need a better way to measure good cryptography with ideally less acronyms

Tom Hardy burning his Spitfire to resist its capture by the Wehrmacht at the end of Dunkrirk. In modern data centers, some cryptographic systems use similar techniques to protect encryption under FIPS 140–2 Level 4

The CAVP: the “Hacker News” of crypto

Smashing windows vs. picking locks

Example of breaking the passphrase for a 802.11x wireless network using Aircrack-ng. Poor key/key material management is a common technique used by attackers to compromise encryption via a side channel attack

“Tell me what you hate about me” —The CMVP and FIPS 140

Example of a CMVP certificate verifying the cryptographic security of a Cisco enterprise router. This certificate is acquired through a lengthy and expensive cryptographic audit process known as FIPS 140

How does FIPS 140 work?

A self-destructing laptop with thermite incendiary charges. For some FIPS 140–2 Level 4 crypto modules, self-immolating internals used for tamper resistance against strong environmental attacks

Where is FIPS 140 required?

The Problems with FIPS 140 and the CMVP

TL;DR

--

--

Principal PM for Cryptography and Security Products @HashiCorp. Formerly Defense/NatSec & Crypto @NetApp, VC @GGVCapital + @AmplifyPartners

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andy Manoske

Principal PM for Cryptography and Security Products @HashiCorp. Formerly Defense/NatSec & Crypto @NetApp, VC @GGVCapital + @AmplifyPartners