FIPS 140-3

FIPS (Federal Information Processing Standard) 140-3 is a standard established by the United States government for encryption and security requirements in the design of computer products intended to process sensitive, but not confidential, data.

This standard aims to ensure that products implement sound security practices, namely strong and approved encryption methods and algorithms. It also specifies how to authorise people and processes to use the product and how to design modules and components to secure their interaction with other systems.

If you want to market your products in the US, you must demonstrate that they offer the right level of safety. To do this, you must use a trusted third party who can provide the necessary proof of FIPS 140-3 certification.

The FIPS 140-3 standard defines four levels of security. Each product is certified for a specific security level indicated on the FIPS 140-3 certificate attached to it.

Level 1 which is usually assigned to products that perform pure software encryption, has very limited security requirements. The product must consist exclusively of components suitable for a production environment and offer protection against the most obvious security vulnerabilities.

Level 2 requires role-based authentication (authentication of individual users is not required). It also requires the ability to detect physical tampering via physical locks or seals that allow them to be detected.

Level 3 includes resistance to physical manipulation by disassembly or modification, to make hacking extremely difficult. In the event of tampering, the device must be able to clear the safety critical settings. Level 3 also requires key management and robust cryptographic protection, identity-based authentication and physical or logical separation of input and output interfaces for critical security parameters.

Level 4 requires advanced protection against tampering. It is designed for products operating in non-physically protected environments.

SERMA Safety and Security’s security laboratory performs FIPS 140 test evaluations accredited by NVLAP (Lab Code 200977-0) and recognised by the Cryptographic Module Validation Program (CMVP) to perform level 1 to 4 validations since 2016.

The team consists of a group of cryptanalysts as well as software and hardware experts with many years of experience in security validations. Within an ITSEF structure, our laboratory is highly secured by strict standards and procedures, so your information is safe with us.

We use the Automated Cryptographic Validation Program (ACVP), either independently or as part of a CMVP validation.

We also perform entropy evaluation (SP800-90B-ESV Submissions) independently, with experts and cryptanalysts specifically dedicated to this area.

Our services start from the beginning of your project until its validation:

  • On-site or remote workshop to identify gaps in your product with respect to FIPS 140-3,
  • FIPS 140-3 training for your experts and designers (cryptography, software, hardware),
  • Preliminary evaluation,
  • Evaluation of entropy (alone or as part of a module),
  • Testing of cryptographic algorithms using the NIST automated cryptographic validation protocol,
  • FIPS 140-3 validations: design, code review, LCA, hardware tests, entropy assessment, operational tests, etc)