Comment A major factor is in how you use it (Score 1) 74
Regardless of the system, the security is largely based on how it is used.
You could use a "bullet proof" cryptosystem but if used incorrectly it wont help anything.
Now for the question on FIPS versus OSS I would say it doesn't really matter from my understading of your situation. I know a little about encryption schemes.
FIPS 140-2, the main security publication for cryptographic modules, requires tested and PUBLICLY known cryptosystems that include Triple DES and AES. There is no reason in my mind to use OSS over FIPS just because the source code is available for OSS. Any cryptosystem used by a FIPS approved system is open and very well known. And you can easily read the FIPS publications for yourself to see what is being used since they are all public (although a good understanding of the subject is suggested since they are not easy reads). Also, the use of any FIPS approved system should describe what they are using, lots of documentation is required for approval.
As long as good cryptosystems are being used (like those suggest by FIPS) you should be fine. It doesn't matter if its FIPS compilant or not... in theory if the cryptosystem is implemented (correct) than you should be safe. However, as I mentioned earlier you have to use them correctly.
Also, for FIPS 140-2, other factors are included for the cryptographic modules that may add extra things that you don't really need to worry about. Things like roles, self-tests, and hardware requirements like the use of "opaque tamper-evident encapsulating material." I don't believe you need these requirements.
The only reason that I can see to use FIPS over OSS is if you need to work with the government in some secure way (like storing or transmitting sensitive material). From a marketing stand point, it might be nice to say you are using FIPS approved system, but as long as you say something like "We are using a AES symmetric key cryptosystem for disk encryption," it should be fine enough. Anyone that knows what you are talking about will understand and realize it is secure regardless of being FIPS approved.
You could use a "bullet proof" cryptosystem but if used incorrectly it wont help anything.
Now for the question on FIPS versus OSS I would say it doesn't really matter from my understading of your situation. I know a little about encryption schemes.
FIPS 140-2, the main security publication for cryptographic modules, requires tested and PUBLICLY known cryptosystems that include Triple DES and AES. There is no reason in my mind to use OSS over FIPS just because the source code is available for OSS. Any cryptosystem used by a FIPS approved system is open and very well known. And you can easily read the FIPS publications for yourself to see what is being used since they are all public (although a good understanding of the subject is suggested since they are not easy reads). Also, the use of any FIPS approved system should describe what they are using, lots of documentation is required for approval.
As long as good cryptosystems are being used (like those suggest by FIPS) you should be fine. It doesn't matter if its FIPS compilant or not... in theory if the cryptosystem is implemented (correct) than you should be safe. However, as I mentioned earlier you have to use them correctly.
Also, for FIPS 140-2, other factors are included for the cryptographic modules that may add extra things that you don't really need to worry about. Things like roles, self-tests, and hardware requirements like the use of "opaque tamper-evident encapsulating material." I don't believe you need these requirements.
The only reason that I can see to use FIPS over OSS is if you need to work with the government in some secure way (like storing or transmitting sensitive material). From a marketing stand point, it might be nice to say you are using FIPS approved system, but as long as you say something like "We are using a AES symmetric key cryptosystem for disk encryption," it should be fine enough. Anyone that knows what you are talking about will understand and realize it is secure regardless of being FIPS approved.
