FIPS 137

FIPS 137 is a withdrawn Federal Information Processing Standard (FIPS) publication issued by the National Institute of Standards and Technology (NIST). It specified the security requirements for cryptographic modules used by U.S. Federal government agencies. More specifically, it defined the security architecture and key management aspects applicable to telecommunications and automated information systems.

FIPS 137 was formally entitled "Security Requirements for Products Implementing the Advanced Encryption Standard (AES)." It aimed to ensure that implementations of AES, a symmetric block cipher, were implemented securely within cryptographic modules.

The standard addressed various security concerns related to the use of AES, including but not limited to:

• Module Integrity: Ensuring that the cryptographic module itself is protected against unauthorized modification or tampering.
• Key Management: Specifying requirements for the generation, storage, distribution, and destruction of cryptographic keys.
• Physical Security: Defining physical security requirements for the module, depending on the sensitivity of the information being protected.
• Logical Security: Addressing logical access control and authentication mechanisms to prevent unauthorized access to the module and its cryptographic functionalities.
• Testing and Validation: Mandating rigorous testing and validation procedures to ensure compliance with the standard’s requirements.

FIPS 137 has been superseded by other standards, most notably FIPS 140-2 and its successor FIPS 140-3, which provide a more comprehensive framework for the security accreditation of cryptographic modules. While FIPS 137 is no longer an active standard, it played a significant role in establishing security guidelines for cryptographic implementations within the U.S. Federal government and continues to influence modern cryptographic security practices. The specific details outlined in FIPS 137 have been incorporated and expanded upon in subsequent FIPS standards, making those current standards the relevant source for updated cryptographic security guidance.