One of the key barriers to wide-scale adoption of cryptocurrency is security — that’s why we created the first offchain title registry for protecting your assets. Another vulnerability is the security of your crypto across systems and algorithms. Federal Information Processing Standard (FIPS) 140-3 aims to resolve that issue. Find out what FIPS 140-3 is intended to standardize and what it means for your cryptocurrency assets.
What Is the FIPS 140-3 Standard?
The FIPS 140-3 standard was introduced in 2019 by the National Institute of Standards and Technology (NIST). The aim was to establish a minimum standard for operating cryptography systems in federal government agencies, but also extends to any regulated sector, such as legal, finance and healthcare. In a nutshell, FIPS 140-3 allows federal agencies to validate cryptography modules by name, hardware, software and firmware. Any vendors who offer cryptography modules used by federal agencies or their partners must comply with 140/3 standards.
140/3 in Simple Terms
When plain text is turned into encrypted data, it needs to be protected by an encryption system. That establishes the need for an encryption system and algorithm validation standard. The one used by the U.S. federal government is FIPS. Without it, federal government agencies would not be able to share encrypted data with third parties, and hackers or foreign intelligence agencies would target any private contractors in the supply chain.
The overarching purpose of FIPS 140-3 is to secure systems by preventing intrusion, authenticating user identity, and keeping a physical separation between input and output ports. The robustness of a system is measured according to four levels of security (lowest to highest):
- Level 1: production-grade equipment and externally tested algorithms must be used.
- Level 2: hardware must carry physical tamper-evidence and role-based authentication. Software OS must be from an approved list.
- Level 3: hardware must carry physical tamper-resistance and identity-based authentication. Private keys to enter or leave the system must be encrypted.
- Level 4: Hardware must be tamper-active.
As long as the above criteria are met, cryptographic modules can be executed on a general-purpose PC. Cryptographic modules are the combination of hardware and software that supports security in computer systems that authenticates the identity of a user.
The Purpose of Crypto Security with 140/3
140/3 is a long-awaited upgrade of FIPS standard 140-2, which dates back to 2001. The primary purpose of the standard is to keep cryptographic modules secure and to provide a level of standardization internationally. FIPS 140-3 now aligns with ISO/IEC standards, specifically:
- ISO/IEC 19790:2012 relating to security requirements for cryptographic modules
- ISO 24759:2017 relating to test requirements
Relevance to Cryptocurrency
Technology programs for use in government or regulated industries must have FIPS validation from an approved laboratory. Indeed, any organization that processes Sensitive But Unclassified (SBU) data relating to federal government departments must be validated or risk potentially heavy fines. So if you’re a third-party vendor or cloud technology provider, compliance is mandatory. And if you’re choosing a vendor for your key encryption and digital identity protection with crypto title registry, FIPS 140-3 compliance is the minimum requirement and proof that the solution has met the highest current regulatory standards in the U.S.
National Institute of Standards and Technology (NIST) – Compliance FAQs: Federal Information Processing Standards (FIPS)
National Institute of Standards and Technology (NIST) – FIPS 140-3, Security Requirements for Cryptographic Modules
IBM – Cryptography Standards
ATSEC – FIPS 140-3 Security Level
Cryptomathic – Understanding The New FIPS 140-3
Ciphertex – What Is FIPS 140-2 Level 3?
Thales – FIPS 140-3 Certification
National Institute of Standards and Technology (NIST) Canadian Centre for Cyber Security – Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program