Trustonic receives FIPS 140-2 certification

The National Institute of Standards and Technology certified Trustonic's cryptographic library Sept. 11, 2017, verifying that Trustonic hardware and software modules comply with Federal Information Processing Standard (FIPS) 140-2. The certification further validates the rigorous security and best practices used in Trustonic's app development platform, according to company representatives. George Kanuck, Trustonic Senior Vice President of Sales and Marketing, said the certification will help protect increasingly diverse government ecosystems.

"As BYOD initiatives expand, devices such as smartphones and tablets are being used to access and share government information," he stated. "Keeping this data secure presents challenges, especially if employees are able to use their own devices. Now, service providers using Trustonic's FIPS-certified crypto library can be sure that their apps are protected by the highest levels of hardware security. This enables them to work with government agencies and organizations, whose security requirements are, necessarily, strict."

Evolving compliance standards

NIST was established in 1901 and is a measurement standards agency and division of the U.S. Dept. of Commerce. NIST introduced the FIPS 140-2 standard in November 2001. It specifies how to collect, store, transfer, share and disseminate sensitive information. During the FIPS 140-2 certification process, cryptographic devices and software are rated in 11 design and performance criteria. "For each area, a cryptographic module receives a security level rating (1 ‒ 4, from lowest to highest) depending on what requirements are met," NIST noted. Each individual rating and an overall rating is then included in the validation certificate.

A cryptographic module's overall rating is not always the most important rating, the NIST website stated. "The rating of an individual area may be more important than the overall rating, depending on the environment in which the cryptographic module will be implemented (this includes understanding what risks the cryptographic module is intended to address)," the authors wrote.

Trusted Execution Environment

Trustonic's trusted execution environment (TEE) is a two-pronged security technology designed to protect against unauthorized access to software by separating trusted applications from normal device operating systems. A Root of Trust, embedded in devices, authenticates a trusted device and enables it to enter a network. Once in the network, the device will operate in a TEE where it can securely process and store data, while managing an array of peripherals to further protect against fraudulent use. Trustonic representatives said its TEE is currently installed in more than a billion devices worldwide.

"If you have ever used a payment method on your phone, the TEE enables the transaction to take place in a secure area," Kanuck said. "Third-party apps, like secure messaging, can be provisioned after the handset or device has been deployed, which means that they, too, can benefit from secure isolation. This certification demonstrates our commitment to ensuring the highest levels of security for governments and enterprises across all devices and services."

Trustonic, established in 2012, is a strategic partnership between ARM Ltd. and Gemalto designed to protect, enrich and simplify digital lives by improving security on connected devices, services and applications. Trustonic noted that its hardware modules are used by Samsung, vivo, OPPO, Xiaomi, LG, Meizu and Gionee, and its underpinning technologies are part of Samsung Knox, Samsung Pay, Alipay and Symantec VIP processing platforms.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.