Choosing Security Solutions That Use Public Key Technology

Previous Topic Next Topic

FIPS-140-1 Security and FORTEZZA Crypto Cards

Windows 2000 supports FIPS 140-1 and FORTEZZA Crypto Cards, two federal cryptographic standards that are important to the protection of United States government communications. For more information about the FIPS 140-1 and FORTEZZA Crypto Cards cryptographic standards, see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

FIPS 140-1

The FIPS 140-1 standard was developed by the National Institute of Standards and Technology (NIST). FIPS 140-1, titled "Security Requirements for Cryptographic Modules," specifies the United States government's requirements for proper design and implementation of hardware and software cryptographic modules that perform cryptographic operations for sensitive but unclassified information. FIPS 140-1 has been adopted by the Canadian Communication Security Establishment and the American National Standards Institute. FIPS 140-1 is widely regarded as a de facto standard for cryptographic modules, and has been incorporated into International Standard 15408, "Evaluation Criteria for Information Technology Security," of the International Standards Organization.

NIST certifies modules that are FIPS 140-1 compliant. Vendors can submit hardware and software cryptographic modules, such as FORTEZZA Crypto Cards, to NIST for certification testing. FIPS 140-1 provides for increasing levels of security, from Level 1 through Level 4. These levels cover a wide range of applications and environments where cryptographic modules are used.

All Windows 2000 cryptographic service providers (CSPs) are FIPS 140-1 Level 1 compliant for use by organizations that require FIPS 140-1–level certification. For more information about Microsoft CSPs and FIPS 140-1, see the Microsoft Security Advisor link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources.

FORTEZZA Crypto Cards

The FORTEZZA Crypto Cards are Personal Computer Memory Card International Association (PCMCIA) cards developed by the National Security Agency. They are tamper-resistant, hardware-based security tokens that provide cryptographic services such as data confidentiality, user authentication, and data integrity. The way FORTEZZA Crypto Cards function is similar to the way that smart cards and smart card readers function, but FORTEZZA Crypto Cards have more memory and more powerful processors, and they implement the cryptographic algorithms that were chosen for the Defense Message System of the United States Department of Defense.

Like smart cards, FORTEZZA Crypto Cards can be used for secure mail and secure Web communications. FORTEZZA Crypto Cards are usually used to protect sensitive but unclassified information. However, enhanced versions of FORTEZZA Crypto Cards are also available to protect classified information.

Microsoft supports FORTEZZA Crypto Cards for secure mail by using the Defense Message System–compliant versions of Exchange Server and the Outlook 98 messaging and collaboration client. Windows 2000, Internet Explorer, and Internet Information Services also support FORTEZZA Crypto Cards for secure Web communications.

FORTEZZA Crypto Cards require the installation of PCMCIA interfaces on desktop computers and are much more expensive to deploy than industry-standard smart cards and smart card readers. Smart cards provide nearly the same level of security as FORTEZZA Crypto Cards, but for much less cost. Therefore, some United States government agencies are deploying industry-standard smart cards to provide strong security for mail and Web communication as well as interoperability with industry-standard public key information security and messaging systems. For example, the United States Department of Defense has proposed two components of their public key infrastructure — a FORTEZZA-based High Assurance Messaging System and a smart card–based Medium Assurance Messaging System.

High Assurance Messaging Systems use expensive FORTEZZA Crypto Cards and FIPS 140-1–compliant cryptographic modules to provide high-level information security. However, FORTEZZA-based systems are not compatible with industry-standard public key information security systems.

Medium Assurance Messaging Systems use inexpensive, industry-standard smart cards and public key infrastructure to provide medium-level information security. Moreover, non-Department of Defense organizations can conduct secure communications with Department of Defense agencies by using industry standard messaging and information security systems, without the need to invest in expensive FORTEZZA technology.

FORTEZZA Crypto Cards are available from a variety of National Security Agency–approved vendors. For more information about FORTEZZA Crypto Cards, contact the card vendors.

© 1985-2000 Microsoft Corporation. All rights reserved.