This paper details our experiences with successfully validating a trusted device at FIPS 140-1 Level 4, earning the world's first certificate at this highest level. Over the last several years, our group designed and built a physically secure PCI card containing a general purpose processor with crypto support. However, for this device to function as a trusted platform for secure coprocessor applications, we needed to establish that assurance through independent validation. We chose FIPS 140-1, since discussions of secure hardware usually cite that standard, and Level 4, since the weaker levels did not provide sufficient assurance for many proposed applications.
Successful validation at Level 4 required withstanding a fairly open-ended suite of physical attacks, and preparing formal modeling and verification of the internal software-as well as meeting a number of other sizeable challenges that were not initially apparent. In some sense, our validation effort was an experiment to quantify the design and work effort necessary to achieve this previously unachieved security assurance level. Since our device is a programmable platform, we hope this work substantially lowers the barrier for others to develop, deploy, and validate secure coprocessor applications.
By: S. W. Smith, R. Perez, S. Weingart, V. Austel
Published in: RC21416 in 1999
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .