FIPS 140-3, the new standard for cryptographic modules
The new cyber security standard for FIPS 140-3 cryptographic modules is just around the corner. The CMVP already accepts reports that are based on FIPS 140-3. So in the next 12 months (until September 2021), vendors can test their technology against FIPS 140-2 or FIPS 140-3.
This means a time window in which products that are currently being certified under FIPS 140-2, can finish their certification in this standard, although it is true that for manufacturers who are considering to be certified in the coming months, it is advisable to do it against FIPS 140-3, as it will be the new standard that will be imposed on the market.
FIPS 140-2 vs FIPS 140-3, highlight differences
While it is true that some features are similar, there are considerable differences between the two standards, which we explain below:
While in FIPS 140-2 cryptographic modules can operate in both approved and non-approved mode, commonly called FIPS and non-FIPS mode, in the case of FIPS 140-3 a module can operate in normal mode to perform NIST-approved cryptographic functionality or "degraded" mode in which the module is able to operate with a subset of its cryptographic functionality after reaching an error state.
Regarding the interfaces, FIPS 140-3 defines a new interface called "Control Output inteface" to be able to send commands to other cryptographic modules and also defines the need to make use of "Trusted channel" for level 3 (making use of Identity based authentication) and for level 4 (making use of Multi-Factor Identity Based Authentication).
In the services section, the greatest changes are observed in the definition of a new service that must show the information referring to the module version, as well as the definition of specific requirements for the loading of firmware updates.
In the case of authentication, the changes have been introduced for levels equal to or higher than SL2, defining the mechanisms to be used at each level, as well as the requirements to be met depending on the mechanism chosen, bearing in mind that, as mentioned above, in the case of an SL4 it is necessary to make use of Multi-Factor Identity Based Authentication.
The requirements related to physical security have not been greatly affected, except for the need to use numbered or holographically identified anti tamper seals for SL3 and the need to incorporate protection measures against possible failure induction.
It is also required that the module is capable of mitigating non-invasive attacks that have not yet been defined and will be included in Annex F of the standard.
In the section on self-tests, it is important to note that it is no longer necessary to carry out the known answer tests associated with each cryptographic function during the pre-operational self-tests (formerly power-up self-tests), but that they are now part of the conditional self-tests. On the other hand, it is also important to highlight the need to implement an error log showing at least the last known error for modules with an SL3 level or higher.
Consulting and practical workshop FIPS 140-3
Given the current circumstances and the impossibility of offering the practical workshops in person, at jtsec we continue with our consulting service online.
Our FIPS 140-3 experts have already carried out several consulting projects in which the client is provided with online training to explain the consulting process to be carried out and the steps it contains.
Thus, we provide essential material for the client to understand the scope of the project, its time duration and difficulty. We attend to the possible questions that may arise, resolving them instantly. With this, the contact with FIPS 140-3 consultancy is much closer and more understandable.
If you still have doubts regarding the new certification standard for FIPS 140-3 cryptographic modules, we will be happy to solve all your questions.
