Designing to Fips-140: A Guide for Engineers and Programmers (Paperback)
暫譯: 設計符合 FIPS 140 的指南:工程師與程式設計師手冊 (平裝本)
Johnston, David, Fant, Richard
- 出版商: Apress
- 出版日期: 2024-04-26
- 售價: $2,110
- 貴賓價: 9.8 折 $2,067
- 語言: 英文
- 頁數: 213
- 裝訂: Quality Paper - also called trade paper
- ISBN: 9798868801242
- ISBN-13: 9798868801242
-
相關分類:
Penetration-test
海外代購書籍(需單獨結帳)
買這商品的人也買了...
-
How to Break Web Software: Functional and Security Testing of Web Applications and Web Services (Paperback)$2,110$2,004 -
XSS 網站安全技術與實務 : 防護解密剖析大進擊$480$374 -
Getting Started with Lazarus and Free Pascal: A beginners and intermediate guide to Free Pascal using Lazarus IDE$1,210$1,185 -
離散數學, 2/e$720$705 -
寫程式前就該懂的演算法 ─ 資料分析與程式設計人員必學的邏輯思考術 (Grokking Algorithms: An illustrated guide for programmers and other curious people)$390$195 -
Hyper-V 虛擬化技術企業現場實戰, 2/e$560$476 -
$299深入淺出 SSD:固態存儲核心技術、原理與實戰 -
Programming Bitcoin$2,600$2,470 -
VMware vSphere 6.7 私有雲建置實戰$520$410 -
2020 超新版計算機概論 -- 邁向資訊新世代 (全工科適用)$650$553 -
不會 C 也是資安高手:用 Python 和駭客大戰三百回合$620$490 -
Inside Blockchain, Bitcoin, and Cryptocurrencies (Hardcover)$2,100$1,995 -
深度學習|生命科學應用 (Deep Learning for the Life Sciences)$580$458 -
Bitcoin and Lightning Network on Raspberry Pi: Running Nodes on Pi3, Pi4 and Pi Zero$1,750$1,662 -
SCRUM 敏捷實戰手冊:增強績效、放大成果、縮短決策流程$450$382 -
微積分勝典 (微積分究竟在說什麼?進階版)$550$495 -
Windows 內核編程$714$678 -
初學 Jetson Nano 不說 No:CAVEDU 教你一次懂$480$480 -
$606Go 語言高級開發與實戰 -
SCRUM BOOT CAMP|23場工作現場的敏捷實戰演練$500$350 -
$351Rust 編程從入門到實戰 -
輕鬆學量子程式設計|從量子位元到量子演算法$520$410 -
$453軟件單元測試 -
深入淺出 SSD:固態存儲核心技術、原理與實戰, 2/e$774$735 -
深入淺出 SSD 測試 : 固態存儲測試流程 方法與工具$594$564
商品描述
This book provides detailed and practical information for practitioners to understand why they should choose certification. It covers the pros and cons, and shows how to design to comply with the specifications (FIPS-140, SP800 documents, and related international specs such as AIS31, GM/T-0005-2021, etc.). It also covers how to perform compliance testing. By the end of the book, you will know how to interact with accredited certification labs and with related industry forums (CMUF, ICMC). In short, the book covers everything you need to know to make sound designs.
There is a process for FIPS-140 (Federal Information Processing Standard) certification for cryptographic products sold to the US government. And there are parallel certifications in other countries, resulting in a non-trivial and complex process. A large market of companies has grown to help companies navigate the FIPS-140 certification process. And there are accredited certification labs you must contract to get the certification.
Although this was once a fairly niche topic, it is no longer so. Other industries--banking, military, healthcare, air travel, and more--have adopted FIPS certification for cryptographic products. The demand for these services has grown exponentially. Still, the available skills pool has not grown. Many people are working on products with zero usable information on what to do to meet these standards and achieve certification or even understand if such certification applies to their products.
What You Will Learn
- What is FIPS-140? What is the SP800 standard?
- What is certification? What does it look like? What is it suitable for?
- What is NIST? What does it do?
- What do accredited certification labs do?
- What do certification consultants do?
- Where and when is certification required?
- What do FIPS-140 modules look like?
- What are the sub-components of FIPS-140 modules (RNGs, PUFs, crypto functions)? How does certification work for them?
- What are the physical primitives (RNGs, PUFs, key stores) and how do you handle the additional complexity of certifying them under FIPS?
- What are the compliance algorithms (AES, SP800-90 algos, SHA, ECDSA, key agreement, etc.)?
- How do you design for certification (BIST, startup tests, secure boundaries, test access, zeroization, etc.)?
- How do you get CAVP certificates (cert houses, ACVTs)?
- How do you get CMVP certifications (cert houses, required documents, design information, security policy, etc.)?
Who This Book Is For
Hardware and software engineers or managers of engineering programs that include any form of cryptographic functionality, including silicon vendors, library vendors, OS vendors, and system integrators
商品描述(中文翻譯)
這本書提供詳細且實用的信息,幫助從業者理解為什麼應該選擇認證。內容涵蓋優缺點,並展示如何設計以符合規範(如 FIPS-140、SP800 文件及相關國際規範,如 AIS31、GM/T-0005-2021 等)。此外,還介紹了如何進行合規性測試。到書籍結束時,您將了解如何與認證實驗室和相關行業論壇(CMUF、ICMC)互動。簡而言之,這本書涵蓋了您所需了解的所有內容,以便進行合理的設計。
FIPS-140(聯邦資訊處理標準)認證的過程適用於銷售給美國政府的加密產品。其他國家也有平行的認證,導致這是一個非平凡且複雜的過程。隨著市場的擴大,許多公司出現以幫助企業導航 FIPS-140 認證過程。此外,您必須與認證實驗室簽約以獲得認證。
雖然這曾經是一個相對小眾的主題,但現在已不再如此。其他行業——銀行、軍事、醫療保健、航空旅行等——已經採用了 FIPS 認證的加密產品。對這些服務的需求呈指數增長。然而,現有的技能池並未增長。許多人正在開發產品,但對於如何滿足這些標準並獲得認證,甚至是否適用於他們的產品,卻沒有任何可用的信息。
您將學到什麼
- 什麼是 FIPS-140?什麼是 SP800 標準?
- 什麼是認證?它的樣子是什麼?適合什麼用途?
- 什麼是 NIST?它的職能是什麼?
- 認證實驗室的職責是什麼?
- 認證顧問的職責是什麼?
- 在哪裡和何時需要認證?
- FIPS-140 模組的樣子是什麼?
- FIPS-140 模組的子組件(隨機數生成器 RNGs、物理不可複製函數 PUFs、加密功能)是什麼?它們的認證是如何運作的?
- 物理原語(隨機數生成器 RNGs、物理不可複製函數 PUFs、金鑰儲存)是什麼?如何處理在 FIPS 下認證它們的額外複雜性?
- 合規性算法(AES、SP800-90 算法、SHA、ECDSA、金鑰協商等)是什麼?
- 如何設計以符合認證(內建自我測試 BIST、啟動測試、安全邊界、測試訪問、零化等)?
- 如何獲得 CAVP 證書(認證機構、ACVTs)?
- 如何獲得 CMVP 認證(認證機構、所需文件、設計信息、安全政策等)?
本書適合誰閱讀
本書適合硬體和軟體工程師或包括任何形式加密功能的工程計畫經理,包括矽晶片供應商、函式庫供應商、作業系統供應商和系統整合商。
作者簡介
David Johnston is an engineer at Intel working on cryptographic hardware used in Intel CPUs and other silicon products. He has been directly involved in the development of the SP800-90 and FIPS140 standard revisions and is active in FIPS-related industry forums--he has several FIPS and CAVP certifications. David spent 30 years in various hardware and software roles and is the author of Random Number Generators, Principles and Practices.
Richard Fant performs security assessments for Intel products and platforms by evaluating the FIPS 140-3 compliance and design strategy for the FPGA Business Unit (Programmable Solution Group). He also helps lead the Intel FIPS CoE (Center of Excellence) across other Intel business units. Richard has two bachelor's degrees from the University of Texas: (Computer Science and Mathematics) as well as a master's degree in Cybersecurity from Syracuse University. He has worked in the semiconductor industry for 20+ years for companies such as Motorola, AMD, and Intel. He also worked at Atsec Information Security performing FIPS evaluations for various semiconductor manufacturers.
In his free time, Richard likes to engage in his other passions: half-marathons and travel. To date, he has run a half-marathon on every continent except Antarctica. While visiting those faraway places, he frequently enjoys testing the laws of entropy at the casinos located there. He has lived in Austin, Texas his entire life and yet has racked up over 2 million frequent flyer miles from traveling about the world for work and fun.
作者簡介(中文翻譯)
大衛·約翰斯頓是英特爾的一名工程師,專注於用於英特爾 CPU 和其他矽產品的加密硬體。他直接參與了 SP800-90 和 FIPS140 標準修訂的開發,並活躍於與 FIPS 相關的行業論壇——他擁有多項 FIPS 和 CAVP 認證。大衛在各種硬體和軟體角色中工作了 30 年,並且是《隨機數生成器:原則與實踐》的作者。
理查德·范特負責對英特爾產品和平台進行安全評估,通過評估 FPGA 事業部(可編程解決方案組)的 FIPS 140-3 合規性和設計策略來進行評估。他還協助領導英特爾 FIPS 卓越中心(Center of Excellence),跨越其他英特爾事業部。理查德擁有德克薩斯大學的兩個學士學位(計算機科學和數學),以及雪城大學的網絡安全碩士學位。他在半導體行業工作了 20 多年,曾在摩托羅拉、AMD 和英特爾等公司任職。他還曾在 Atsec 信息安全工作,為各種半導體製造商進行 FIPS 評估。
在空閒時間,理查德喜歡參加其他熱情的活動:半程馬拉松和旅行。到目前為止,他已經在除了南極洲以外的每個大陸上跑過半程馬拉松。在造訪那些遙遠的地方時,他經常享受在那裡的賭場測試熵的法則。他一生都住在德克薩斯州的奧斯丁,卻因為工作和娛樂而累積了超過 200 萬的飛行里程。
