FIPS 140-2 is a standard set for security of sensitive data in government agencies. But what does it mean to be FIPS compliant? What does it mean for an agency seeking out to evaluate technology vendors? How does the standard assess the security of IT vendors?
In this blog, we'll discuss what the FIPS 140-2 standard is and how it helps in keeping data secure. We will also discuss how VIDIZMO uses FIPS compliant end-to-end encryption and hashing in the processes involved from video upload till playback.
What is FIPS 140-2 Compliance?
To ensure that only intended audiences can read and process information, organizations use cryptography to keep such information secure. Cryptography is the process of changing human readable information (plaintext) to unreadable information (ciphertext) through means of an algorithm.
Organizations could possibly use a range of cryptographic modules, but these may not be the most secure due to weak algorithms, poor design etc. Therefore, to ensure that highly secure cryptographic modules are used, the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS) established the FIPS standard.
Through means of independent testing, the FIPS 140-2 standard provides a list of validated cryptographic modules that need to be used by federal agencies as stated under the Federal Information Security Management Act (FISMA) law. But it’s not just federal government agencies. Due to the robust security and testing of these modules, FIPS 140-2 cryptographic modules are also trusted internationally by both commercial and government enterprises.
List of Cryptographic Modules Approved by the National Institute of Standards and Technology
A list of the cryptographic modules approved for use can be found in the “Approved Security Functions for FIPS PUB 140-2” document. The list includes modules that have been approved under the Cryptographic Module Validation Program – a joint effort made by the Canadian Centre for Cyber Security (CCCS) and the National Institute of Standards and Technology (NIST). The program evaluates the cryptographic modules for security in terms of 11 areas.
The approved list consists of modules that are classified into the following categories:
- Symmetric Key Encryption and Decryption (eg., AES, TDEA)
- Digital Signatures (eg., DSS)
- Hashing (eg., SHA)
- Message Authentication (eg., Triple-DES, AES and HMAC)
What it Means for Your Organization?
Regardless of the fact that your organization is a federal US agency or not, information needs to be kept secure. To ensure highest level of security, it’s important to evaluate all the cryptographic modules used by any vendor before making a purchase. Whether it’s your online meeting’s solution, online workspace, video platform or any other cloud solution, you need to ensure that all cryptographic actions from information uploading, processing, storage and delivery, use only the FIPS 140-2 approved cryptographic modules.
Technological solutions that rely on using the already validated cryptographic modules are said to be FIPS compliant. This is different from being FIPS validated in which the entire technology solution is verified by one of the NIST accredited testing laboratories.
How FIPS 140-2 Compliance Applies to an Enterprise Video Hosting and Streaming Platform?
With having explained what FIPS 140-2 is, this blog will now use our VIDIZMO platform as an example to explain how validated cryptographic modules are used across all process on video data from upload till delivery (end-to-end encryption).
Though complex in reality, the simple process for video streaming can be divided into three parts: uploading, at rest, and delivery. Here’s a simplified diagram to show how VIDIZMO provides complete end-to-end encryption using FIPS 140-2 compliant cryptographic modules.
Encryption while Uploading
When a user uploads video content, it is transferred to the datacenter through a Transport Layer Security (TLS) protocol. The TLS protocol used by VIDIZMO is TLS 1.3 and TLS 1.2 (as certain browsers don’t support TLS 1.3), and these use cryptographic modules that are FIPS compliant as outlined in NIST TLS documentation. As such, the data can’t be intercepted in transit as it’s strongly encrypted.
The datacenter uses a hash check (cryptographic module) to verify that whether the video is same as it was uploaded. This helps malicious data from entering the cloud storage. VIDIZMO provides customers with the option to choose their cloud provider and different cryptographic modules are used by different providers. AWS uses SHA-256 for this verification, which is a FIPS 140-2 approved module. Azure uses native MD5 for the same.
Encryption at Rest:
Video content that is now to be stored at rest needs to be encrypted. This process involves encryption twice and hence two cryptographic modules are used. The first encryption is by the cloud provider in their datacenter. VIDIZMO allows customers to choose cloud providers that use FIPS 140-2 encryption at rest. Both Azure and AWS carry out encryption using the AES-256 cryptographic module. Both of these cloud providers have a robust fool-proof system for encrypting data and keys at rest. For example, Azure uses FIPS 140-2 compliant encryption keys (Data Encryption Key [DEK]) for the data and then even encrypts these keys using another key (Key Encryption Key [KEK]).
On top of that, VIDIZMO also adds another layer of security by encrypting content using AES-128 keys, which is a cryptographic module from the list of approved security functions.
Decryption during Playback:
The additional layer of security through AES-128 ensures that only authorized individuals can decrypt the video file through the VIDIZMO player at the final stage. VIDIZMO offers detailed access management and sharing so only the user who has access, will be able to watch the video.
The video is delivered over a secure TLS 1.2 and TLS 1.3 protocol, and as previously discussed, TLS uses FIPS compliant cryptographic modules to keep data secure.
VIDIZMO enterprise video platform not only just manages uploading and streaming of video, but also integrates with other IT systems, Zoom for example. The process of integration involves token management, which includes a hash check cryptography to validate whether the integration with the application is the one that was intended. The hashing cryptographic function used here is SHA-256.
There are many other functions within the VIDIZMO application that use cryptography and information regarding them can be found in our documentation regarding FIPS 140-2.
The bottom-line is that, for any IT system to be secure, it should use cryptographic functions that are approved by NIST and are FIPS 140-2 compliant. As in the case of VIDIZMO, which provides end-to-end video streaming for various use cases; corporate communication, managing recorded meetings, e-learning, marketing and sales etc.