FIPS 140 is an standard for processing, issued by NIST CSRC.
Description of FIPS 140
Within the NIST, there is the Computer Security Resource Center (CSRC).
There is a series of publications issued by NIST CSRC that is called Federal Information Processing Standard (FIPS). You can check the full list of FIPS series publications on this link.
FIPS 140 series has the title “Security Requirements for Cryptographic Modules”. There are different version of this publication; as of October 2022, the latest is FIPS 140-3, that supersedes FIPS 140-2.
There are validation certificates for FIPS 140.
There are different versions. As of 2024, latest is FIPS 140-3.
FIPS 140-2
FIPS 140-2 Levels
From lowest to highest:
- FIPS 140-2 Level 1. Level 1 has the simplest requirements. It requires production-grade equipment, and atleast one tested encryption algorithm. This must be a working encryption algorithm, not one that has not been authorized for use.
- FIPS 140-2 Level 2. Level 2 raises the bar slightly, requiring all of level 1’s requirements along with role-based authentication and tamper evident physical devices to be used. It should also be run on an Operating System that has been approved by Common Criteria at EAL2.
- FIPS 140-2 Level 3. FIPS 140-2 level 3 is the level the majority of organizations comply with, as it is secure, but not made difficult to use because of that security. This level takes all of level 2’s requirements and adds tamper-resistant devices, a separation of the logical and physical interfaces that have “critical security parameters” enter or leave the system, and identity-based authentication. Private keys leaving or entering the system must also be encrypted before they can be moved to or from the system.
- FIPS 140-2 Level 4. The most secure level of FIPS 140-2 uses the same requirements of level 3 and desires that the compliant device be able to be tamper-active and that the contents of the device be able to be erased if certain environmental attacks are detected. Another focus of FIPS 140-2 level 4 is that the Operating Systems being used by the cryptographic module must be more secure than earlier levels. If multiple users are using a system, the OS is held to an even higher standard.