What is the difference between FIPS 140 and the Common Criteria for cryptographic functions?
FIPS 140 is concerned with testing a cryptographic module against specific standards for cryptographic functions, using approved cryptographic algorithms. Common Criteria is a more general IT security standard for evaluating security functionality which may include cryptographic functions, but not to the level of detail called for in the FIPS 140 standard. The Common Criteria examines whether or not the general cryptographic functions perform as claimed by the vendor, where the FIPS 140 standard requires a cryptographic module to implement algorithms, key management and cryptographic self-testing (to give some examples) in a very specific manner. Products with significant cryptographic functionality may be evaluated under the Common Criteria for overall security functionality, and may also have their cryptographic modules certified under FIPS 140 (or the UK’s CAPS, or the Australian CAN – which ever is appropriate).
