FIPS 140-3: Testing of crypto modules and crypto algorithms

Download free white paper

Your crypto product tested according to FIPS 140-3

If you want to sell products with encryption components in the USA, you generally need a FIPS 140-3 certification. The certificate attests that a cryptographic module meets specific security requirements and has been tested for compliance by an independent third party.

Our experts test your cryptographic algorithms and cryptographic modules in ac­cordance with the international standard FIPS 140-3. Our test laboratory is the only one in Germany that is approved by the National Institute of Standards and Tech­nology (NIST, USA) for testing and validation in accordance with FIPS PUB 140-3.
  

  Fulfillment of the requirements for cryptographic modules

An independent validation according to FIPS 140-3 shows that your product fulfills the special requirements for cryptographic modules.
 

  Increased trust & competitive advantages

With a validation, you prove that you meet the mandatory requirements for processing sensitive but unclassified (SBU) information.
 

  Demonstration of your commitment to cyber security 

You demonstrate your commitment to cyber security and your ability to support customers in ensuring a high level of system security.
 

Free White Paper FIPS 140-3

Contents of the free white paper: 

  • What is FIPS 140-3?
  • Security levels according to FIPS 140-3 
  • Differences between FIPS 140-2 & FIPS 140-3
  • The importance of FIPS 140-3 for cyber security
  • Certification programs at a glance
  • TÜVIT services regarding FIPS 140-3
  • Six steps to the FIPS certificate
  • Optimal preparation for a FIPS 140-3 validation
Download now for free 1 MB | pdf

Download with restricted access

Please fill the form below to download the file "TÜVIT White Paper FIPS 140-3". In connection you will receive an email with further instructions to start the download.

What is FIPS 140-3?

FIPS (Federal Information Processing Standard) 140-3 is a standard developed by the US National Institute of Standards and Technology (NIST) that defines the basic requirements for cryptographic products.

It is mandatory for all US federal organizations and authorities that use cryptography-based security systems to protect sensitive data. Therefore, the standard should already be used as a basis for the development and implementation of cryptographic modules.

FIPS 140-3 has become a worldwide de facto standard and is used in various industries, such as the financial sector or healthcare. The standard contains 4 qualitatively increasing security levels that cover a wide range of possible applications and environments.

The 4 security levels according to FIPS 140-3:

Level 1

Use & correct implementation of at least one approved encryption algorithm

Basic security requirements on firmware or software level to prevent unauthorized access

Level 2

Requirements from Level 1

+ Use of role-based authentication

+ Implementation of physical security mechanisms

+ Use of a mechanism for detecting manipulation

Level 3

Requirements from Level 2

+ Use of identity-based authentication

+ Implementation of physical manipulation security & resistant housing/coating

+ Mechanism for detecting and reacting to voltage and temperature deviations

Level 4

Requirements from Level 3

+ Use of multi-factor authentication

+ Implementation of physical security mechanisms against the most sophisticated attacks

Your benefits at a glance

Independent proof of IT security
FIPS 140-3 certification proves that you take the cryptographic security standards seriously & fulfill them.
 

Compliance with legal requirements
With FIPS 140-3 certification, you fulfill the minimum requirements for cryptographic modules of the Information Technology Management Reform Act.
 

Access to the US & Canadian market
A FIPS 140-3 certificate is mandatory for many government applications in the US & Canada and beyond. 
 

Identification of vulnerabilities
As part of an audit, you will uncover existing security gaps and optimization potential.

Protection of sensitive, unclassified information
You prove that you protect sensitive, unclassified information in a special and successful way.
 

Increased trust among users
A product tested for IT security leads to greater trust among users & competitive advantages. 
 

Our services for FIPS 140-3


Workshop on pre-validation

 Overview of the requirements & the process 

 Assessment of the readiness for certification

 Identification of required module updates

 Review of ESV requirements, if necessary

  


Validation testing of crypto algorithm implementations (CAVP)

 Purely functional testing of your crypto implementation (only for "Approved Functions")

 Coordination with CAVP (CAVP certificates are a precondition for full module validation)

  


Validation testing of cryptographic modules (CMVP)

 Complete testing of functional requirements

 Review of the documentation

 Extensive testing of the source code

 Physical testing (depending on module type & desired security level)

■ Coordination with CMVP


Entropy validation tests (ESV)

 Testing of all types of entropy sources 
- NIST SP800-90B: Non-deterministic random bit generators (NRBGs)

 Coordination with CMVP

  


Supplementary services

 Gap analyses

Workshop on documentation

 Support after validation

 Maintenance of the certification

  


"FIPS Inside"

 Verification of the use of a validated cryptographic module

 Short-term validation of cryptographic modules (applicable if no additional security services are implemented & need to be validated)

 Analysis of the fulfillment of requirements

Further information on the official NIST website


  

The path to a FIPS certificate

1.

Commissioning

You commission TÜVIT as an accredited test laboratory for Cryptographic & Security Testing with the testing according to FIPS 140-3.

2. 

Testing of the implementation

After you have provided us with the module to be tested, our experts carry out a conformity test & create a test report. 

3. 

Review by CMVP

In the next step, we submit the test report and other required documents to the CMVP, which are then assessed by assigned CMVP examiners. 

4. 

Coordination between TÜVIT & CMVP

Our experts communicate with the CMVP & receive feedback on the test report.

5. 

Successful validation

Finally, the CMVP confirms the successful validation of your crypto module according to FIPS 140-3.

CMVP, CAVP & ESV at a glance

Cryptographic Module Validation Program (CMVP)

 

The CMVP provides certification through validation testing of functional requirements and manufacturer documentation, source code examination & testing, and – depending on the module type and desired security level – physical testing.

Five different module types can be certified as part of the program:

 Hardware modules
■ Software modules
■ Firmware modules
 Hybrid software modules​​​​​​​
■ Hybrid firmware modules

Cryptographic Algorithm Validation Program (CAVP)

 

CAVP includes validation tests for approved (i.e. FIPS-approved and NIST-recommended) cryptographic algorithms and their individual components. CAVP can only be used for testing algorithms, but is mandatory and the first step of a cryptographic module validation according to CMVP.

Entropy Source Validation (ESV)


Entropy source validation is a new area within the Cryptographic Module Validation Program provided by NIST. The test is required if a module has its own entropy source. 

Corresponding validation tests may only be carried out by NIST/NVLAP-accredited test laboratories such as TÜVIT.

Frequently asked questions (FAQ):

How long does a FIPS 140-3 certification take?

Depending on the security level (and the associated tests), module validation within the framework of CMVP usually takes 4-8 months before the report can be submitted to CMVP.

What is a module type?

The FIPS 140-3 standard defines 5 different module types that can be certified as part of the CMVP program: Hardware, software, firmware, hybrid software or hybrid firmware modules.

What is an Implementation Guidance (IG)?

An Implementation Guidance contains binding interpretations of the standard, the derived test requirements and the referenced cryptographic standards and must be taken into account by the provider.

What is an operating environment (OE)?

The OE is the set of software and hardware, including an operating system, which is required for the secure operation of the module.

What is a physical security component?

Physical security components are physical representations of cryptographic modules. They can be used as a single chip (a single integrated circuit) as a stand-alone device or embedded in a package or product that may not be physically protected. Examples include single IC chips or smart cards with a single IC chip.

Embedded multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and embedded in a housing or product that may not be physically protected. Examples include adapters and expansion cards.

Stand-alone multi-chip cryptographic modules are physical components where two or more IC chips are interconnected and the entire package is physically protected. Examples include encrypted routers, secure radios or USB tokens.

Interested in validation & certification according to FIPS 140-3?

  

Contact us now

Why we are a strong partner for you

Independence

Our employees are not subject to any conflicts of interest, as they are not committed to any product suppliers, system integrators, stakeholders, interest groups or government agencies.

Expertise

The TÜVIT test laboratory is the only one in Germany that is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation in accordance with FIPS PUB 140-3.

International network of experts

Around the globe: We support you both nationally and internationally. Our global network of experts is ready to help you in word and deed in all IT security issues.

Industry experience

Due to many years of experience in different branches of industry we can serve companies from a wide range of industries.

Tailor-made for you

We focus on individual services - and solutions - that optimally fit your current company situation and your set goals.

 

You have questions? We are pleased to help!

  

Dr.-Ing. Alexander Schasse

+49 201 8999-564
fips@tuvit.de

  

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜVIT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜVIT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL7).
Read more

Hardware

Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜVIT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more

Software

Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜVIT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜVIT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜVIT performs these approval procedures in its capacity as an accredited security assessor.
Read more

FIDO

The FIDO Alliance has developed open standards especially for authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜVIT is entitled to perform corresponding evaluations.
Read more

GSMA NESAS

TÜVIT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
Read more