NIST began the process to define and adopt FIPS 140-3 over 10 years ago yet there are no products certified for FIPS 140-3. Read on to find out why.
For more than 20 years, the FIPS 140-2 (Security Requirements for Cryptographic Modules) standard from NIST (the National Institute for Standards and Technology) has been the critical set of requirements for safe and effective cryptographic code. It was created to be a standard for applications used by the US government but other governments and private parties have also adopted it. If you want to do business with these entities, any cryptographic code in your products must conform to the specification.
FIPS 140-2 defines four levels of security. Level 1, the simplest, requires software to support encryption algorithms approved in the FIPS 140-2 specification. At this level, the “module” can be a pure software product. Levels 2, 3, and 4 describe increasing levels of required protection against tampering with hardware modules.
A vendor can get a cryptographic module certified as FIPS-compliant by submitting it for testing in an accredited Cryptographic Module Testing laboratory. If the module is found to be compliant, the vendor will be issued a certificate, and the module will be added to a list of FIPS validated modules maintained by NIST.
NIST began the process to define FIPS 140-3 more than a decade ago, but the standard wasn’t formally published until March 22, 2019. This was the plan for migration from 140-2 to 140-3:
In four short years, all FIPS 140-2 product validations will expire. It's been a while since test labs have accepted products for FIPS 140-2 validation in the Cryptographic Module Validation Program (CMVP).
It would seem that FIPS 140-3 is where the action is at now.
How is FIPS 140-3 different?
The new version attempts to synch up with ISO standards on the same subject:
- ISO/IEC 19790:2012 - Security requirements for cryptographic modules
- ISO/IEC 24759:2017 - Test requirements for cryptographic modules
NIST has, in effect, adopted these ISO standards. The FIPS 140-3 documentation only specified the areas where the standard differs from the ISO spec. As with all ISO specifications, the documents are not free, costing 178 and 198 Swiss Francs.
The differences between FIPS 140-3 and the ISO spec, as well as in comparison with 140-2, seem to focus mostly on hardware modules at levels 2-4. This description of the differences from Thales does a good job. Some of what Thales calls the “more interesting changes” include:
- Modules must perform added internal integrity checks
- They must output a product name and identifier
- There are new requirements for zeroing keys (“Zeroing keys” refers to the module setting specific internal values to zero at certain points so that it executes from a known state and prevents old keys from leaking.)
3 at last?
Should you start relying on FIPS 140-3 now? The truth is you can't. FIPS 140-3 is well behind schedule.
Based on the schedule, they should have been testing products for FIPS 140-3 for almost two years, but if you search on the NIST site for modules validated for FIPS 140-3, the result is "No certificates match the search criteria."
This wasn't the plan, but something threw a monkey wrench into the validation works to the point that it can take well over a year to get final validation. A search on the site for modules validated for FIPS 140-2 shows there are many recent results, including validations for Microsoft and Cisco on August 15, 2022. Even these new validations are officially good only until September 22, 2026.
This, in spite of the fact that the CMVP was supposed to accept FIPS 140-3 submissions on September 22, 2020.
The imperative to use FIPS-compliant technology is as strong as it ever was, and FIPS 140-2 certified technology is still certified through September 22, 2026. We know from others in the industry that there are many 140-3 tests in the pipeline, but it could be 2024 before we see many of them. If the backlog doesn’t get cleared out, don’t be surprised if the 2026 expiration date gets extended.