Why FIPS 140-3 Matters for Cryptography and Digital Identity Security

Cryptography is all about securing communications. Authentication, key exchange, token signing, digital signatures, zero-knowledge proofs, and so much more depend on cryptographic algorithms that no mere mortal (by which I mean me) will ever understand. The good news is that mere mortals do not need to understand these algorithms. Governments have the resources to truly dig into these algorithms and determine whether they are as secure and effective as intended. In the U.S., something called FIPS 140 sits at the heart of determining whether a cryptographic module—the actual hardware or software implementing these algorithms—is secure enough.

FIPS 140-3 is the latest iteration of the U.S. Federal Information Processing Standard (FIPS) that specifies the security requirements for cryptographic modules used by federal agencies and other organizations to protect sensitive information. If you have a cybersecurity company that does business with the U.S. Government, then you care about FIPS 140-3. If you don’t have a cybersecurity company but buy cybersecurity tools, knowing that the cryptographic modules they use to secure your data meet the FIPS 140-3 standards is a Very Good Thing.

If you aren’t involved in tech purchasing decisions for your company, this post will serve as interesting trivia for you to wow your geeky friends with over beverages. Apologies in advance for all the acronyms; they can’t be avoided if you’re in the world of tech.

Definitions

First, let’s get a few definitions out there:

1. Cryptography: Refers to the broader field of securing communications through mathematical techniques.
2. Cryptographic Algorithm: A specific method or procedure, like AES or RSA, used within the field of cryptography to encrypt or decrypt data, sign messages, or generate keys.
3. Cryptographic Module: A hardware or software component that implements cryptographic algorithms and provides secure services like encryption, decryption, authentication, or key management.

FIPS 140

The first FIPS 140 was published thirty years ago (where has time gone???). The U.S. federal government realized it needed to get a handle on how the government as a whole needed to use cryptographic modules in its tech. Prior to that, it was something of a free-for-all. Each agency made its own decisions about what information and staff it had on hand. Not great.

The best thing about version 1 of anything is that it suddenly sparks all SORTS of discussion. There are new requirements, positive and negative feedback, and a desire to improve. That resulted in FIPS 140-2, published over 20 years ago in 2001. (I’m still feeling old here.) FIPS 140-2 provided clearer definitions and more detailed requirements. Just as well as the science of cryptography advanced and new cryptographic algorithms needed to be considered.

The U.S. Government obviously isn’t the only entity out there working out the best way to evaluate cryptographic algorithms. That’s where the International Organization for Standardization (ISO) came in. In 2012, ISO published ISO/IEC 19790:2012, “Information technology — Security techniques — Security requirements for cryptographic modules.” The U.S. National Institute of Standards and Technology (NIST) was a member of the team making that global standard. As it came time to yet again refresh FIPS 140, it made sense to point it to ISO/IEC 19790:2012. That’s now FIPS 140-3.

Cryptographic Module Validation Program (CVMP)

So now there’s a standard, updated over time, that says, “Here are the requirements for cryptographic modules to be used by the federal government.” Great! How does the government ensure that those modules meet those requirements? That’s where the Cryptographic Module Validation Program (CVMP) comes in.

The CVMP is a joint effort between the NIST and the Canadian Centre for Cyber Security. It provides guidelines for accredited laboratories (Cryptographic and Security Testing Laboratories (CSTL). From those guidelines, the laboratories verify that a cryptographic module submitted by a vendor satisfies the requirements. The CSTL’s findings are submitted back to the program. If everything is copacetic, the module is added to the list of modules federal agencies can accept in their tools and services.  

FIPS 140, the CVMP, and Digital Identity

So, how does this all tie into the world of digital identity? I have a list!

There are two things in particular to remember. First, of course, is noting that cryptography is used in a variety of ways when it comes to digital identity. Encrypting tokens, signatures, keys, and more is a fundamental necessity. Second, the federal government spends a mind-boggling amount on cybersecurity. This means their requirements for cybersecurity—such as the cryptographic modules used in the tools and services they purchase—influence almost everything in the cybersecurity industry. While following the FIPS 140 guidelines is only _required_ for federal agencies, in practice, its reach is much broader.

Given those points, FIPS 140-3 helps lay the groundwork for secure digital identity by ensuring that the cryptographic modules used are not just good, but government-approved good. And if that isn’t enough, given that FIPS 140-3 now basically points to an internationally developed standard in the form of ISO/IEC 19790:2012, then you’re talking about something that has achieved consensus on a global scale. That’s a level of assurance that goes beyond just checking a box. It’s knowing that the systems managing your identity are backed by some of the best cryptographic practices in the world.

Wrap Up

As a regular consumer, you really don’t need to know about FIPS 140 and its associated validation program. As a cybersecurity practitioner, you should at least be aware that it’s there and its implications. And as an executive that has responsibility for the security of your company or what goes into your products, all of this should be familiar to you already.

This is going to be an area I learn more about over the next few months. And since I learn best through writing, you can expect more blog posts on the topic of how the U.S. Government thinks about cryptographic modules. Stay tuned!

I want to help you go from overwhelmed at the rapid pace of change in identity-related standards to prepared to strategically invest in the critical standards for your business. Follow me on LinkedIn or reach out to discuss my Digital Identity Standards Development Services.