U.S. Federal Government

FIPS 140-3

FIPS 140-3 will soon replace FIPS 140-2 as the standard NIST uses to validate cryptographic libraries. The standard is still in draft status, but could be issued in 2011.

FIPS 140-2 has four levels of security: most cryptographic software uses “Level 1” and most cryptographic hardware uses “Level 3”.  FIPS 140-3 expands that to five levels, but the minimum (and thus most common) levels for software and hardware will likely remain Levels 1 and 3, respectively.

FIPS 140-2

FIPS 140-2 is the most commonly referenced cryptography standard published by NIST.  “FIPS 140-2 cryptography” is a phrase used to indicate that NIST has tested a particular cryptography implementation and found that it meets FIPS 140-2 requirements.

Among other things, FIPS 140-2 specifies which encryption algorithms (AES and Triple DES), minimum bit lengths, hash algorithms (SHA-1 and SHA-2) and key negotiation standards are allowed in U.S. federal applications.  (Canada also uses this standard for its federal standard – that is why the official FIPS 140-2 validation symbol is a garish mashup of the American blue/white stars and the Canadian red/white maple leaf.)

Almost all modern cryptographic modules, whether built in hardware or software, have been FIPS 140-2 validated.  High quality software implementations are also an integrated component of most modern computing platforms, including operating systems from Microsoft, Java runtime environments from Oracle and the ubiquitous OpenSSL library.

Almost all file transfer applications that claim “FIPS validated cryptography” make use of one or more FIPS validated cryptographic libraries, but are not themselves entirely qualified under FIPS.  This is not, by itself, a security problem: FIPS 140 has a narrow focus and other validation programs are available to cover entire applications.

FIPS 140-2 will soon be replaced by FIPS 140-3, but implementations validated under FIPS 140-2 will likely be allowed for some period of time.

FIPS Validated

“FIPS validated” is a label that indicates that the cryptography used in a particular solution implements some or all the algorithms specified in FIPS 140-2 (e.g., AES) and that the underlying cryptography component has been validated by NIST laboratories.  See “FIPS compliant” for a weaker statement.

FIPS Compliant

“FIPS compliant” is a slippery phrase that often indicates that the cryptography used in a particular solution implements some or all the algorithms specified in FIPS 140-2 (e.g., AES) but that the underlying cryptography component has not been validated by NIST laboratories.
FIPS validated” is much stronger statement.

Event Log Analyzer by SolarWinds