Oracle is an active participant in the FIPS 140 validations. The current version of FIPS 140 is FIPS 140-2. FIPS 140-2 is in the final stages of becoming an ISO Standard, number 19790. The ISO 19790 is a modification of FIPS 140-2, being less US specific in order to be internationally recognised. FIPS 140-3 is currently being developed .
The following FIPS 140-2 Implementation Guidance, G.5 applies to validated Oracle cryptographic modules:
A vendor may perform post-validation recompilations of a software or firmware module and affirm the modules continued validation compliance provided the following is maintained:
For Level 2 Operational Environment, a software cryptographic module will remain compliant with the FIPS 140-2 validation when operating on any General Purpose Computer(GPC) provided that the GPC incorporates the specified CC evaluated EAL2 (or equivalent) operating system/mode/operational settings or another compatible CC evaluated EAL2 (or equivalent) operating system with like mode and operational settings.
The CMVP allows vendor porting and re-compilation of a validated software and firmware cryptographic module from the OS(s) and/or GPC(s) specified on the validation certificate to an OS(s) and/or GPC(s) which were not included as part of the validation testing. The validation status is maintained on the new OS(s) and/or GPC without re-testing the cryptographic module on the new OS(s) and/or GPC(s). However, the CMVP makes no statement as to the correct operation of the module when ported to an OS(s) and/or GPC(s) not listed on the validation certificate.
Overview of FIPS 140
FIPS 140-2 Security Requirements for Cryptographic Modules is a U.S. government standard for implementation of cryptographic modules that encrypt and decrypt data or perform other cryptographic operations (such as creating or verifying digital signatures).
The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2 Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The CMVP was established by NIST and the Communications Security Establishment (CSE) of the Government of Canada in July 1995. The FIPS 140-2 standard is jointly maintained by both of these organizations.
Encryption products purchased by US and Canadian government agencies may be required to undergo the FIPS 140-2 validation. These products are validated against FIPS 140-2 at security levels ranging from level 1 (lowest) to level 4 (highest). The testing and validation of products against the FIPS 140-2 criteria is performed by NIST and CSE-approved and accredited certification laboratories.
Level 2 is the highest level of validation pursued by software vendors. Level 4 is generally only attempted by hardware vendors who produce hardware such as hardware encryption devices.
The Validation Authorities also validate the test results for the FIPS-approved or NIST recommended cryptographic algorithms. An algorithm validation certificate is issued for each validated cryptographic algorithm.
Oracle Advanced Security is also validated against additional FIPS criteria such as FIPS 180-1 Secure Hash Standard, FIPS 46-2 Data Encryption Standard (DES) and FIPS 81 DES Mode of Encryption.