Category: wolfCrypt FIPS

Building on our legacy of FIPS 140-3 certified solutions, wolfSSL is in the planning stages of forging our full FIPS 140-3 submission. This next iteration will integrate cutting-edge post quantum cryptography, featuring ML-KEM (FIPS 203, derived from CRYSTALS-KYBER), ML-DSA (FIPS 204, derived from CRYSTALS-Dilithium), LMSS (verify), and XMSS (verify) (SP800-208, needed for NSA 2.0 Transition schedules), all securely contained within the latest FIPS 140-3 boundary.

Want to be at the forefront of this advancement? Become a Charter Member on this effort by collaborating with us while still in the planning stages! Reach out to us at fips@wolfssl.com to discuss options.

Charter Member Advantages: Ensure your Operating Environment is incorporated into the initial submission, accelerate your time-to-market by avoiding post-validation efforts to get your OE added. Time is of the essence!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is thrilled to announce a significant milestone in browser security: the successful integration of wolfPKCS11 to provide FIPS 140-3 validated cryptography for the Mozilla Firefox browser. This is achieved by enabling wolfPKCS11 to serve as the backend cryptographic provider for Firefox’s Network Security Services (NSS) layer. This development represents a major step forward, bringing robust, federally-certified security to one of the world’s most popular web browsers.

This achievement builds directly upon a previously shared vision. Many may recall an earlier post, Why replace NSS with wolfSSL in Firefox?, which demonstrated the possibility of such an integration. It is with great excitement that this possibility is announced as a working reality. The core concept, replacing the underlying authentication implementations within NSS with the FIPS-validated capabilities of wolfCrypt via wolfPKCS11, has been brought to fruition.

For users and organizations operating in environments that require or prefer the assurances of FIPS 140-3 validated cryptography, this development is transformative. It means that Firefox can soon be leveraged with the formidable security backing of wolfSSL’s FIPS-certified cryptographic engine, wolfCrypt. While this advanced capability is fully functional and has been rigorously tested internally, it is important to note that it is not yet part of an official public release. Further announcements regarding public availability will be forthcoming. This progression from a proof-of-concept to a tangible, working solution underscores a commitment to not only innovate but also to deliver on complex technical challenges, reinforcing the reliability that is paramount in the security domain.

Why FIPS 140-3 in Your Browser is a Big Deal

Understanding the significance of this development begins with understanding FIPS 140-3. The Federal Information Processing Standard (FIPS) Publication 140-3 is a U.S. government standard developed by the National Institute of Standards and Technology (NIST). It specifies the security requirements for cryptographic modules, covering both hardware and software components that execute cryptographic functions. The primary role of FIPS 140-3 is to ensure that these cryptographic implementations meet stringent security benchmarks, thereby effectively protecting sensitive information. The gravity of this validation is starkly highlighted by NIST and the Canadian Centre for Cyber Security, which state that “non-validated cryptography is viewed as providing no protection to information—equivalent to plaintext”. This underscores the profound level of assurance that FIPS validation provides.

The mandate to use FIPS-validated cryptography is explicit for U.S. federal agencies when protecting sensitive information within their computer and telecommunication systems. This requirement frequently extends beyond direct government use, impacting contractors, organizations in regulated industries such as healthcare and finance, and entities pursuing critical certifications like the Cybersecurity Maturity Model Certification (CMMC). For other organizations, employing FIPS-validated cryptography serves as a clear indicator of a commitment to a high standard of security assurance.

Mozilla Firefox, along with other Mozilla products, relies on a set of libraries known as Network Security Services (NSS) for all its SSL/TLS, S/MIME, and other cryptographic operations. NSS is engineered to support cross-platform development and implements a comprehensive suite of internet security standards. A critical architectural feature of NSS is its utilization of the PKCS#11 standard. PKCS#11 is an API that governs communication with cryptographic tokens, which can be hardware accelerators, smart cards, or, as in this case, software-based modules often referred to as a “Software Security Device”. This adherence by NSS to the PKCS#11 standard is fundamental to the integration of wolfPKCS11. The combination of FIPS 140-3 defining what constitutes trusted cryptography and PKCS#11 providing how that trusted cryptography can be interfaced is powerful. Without NSS’s support for this standardized interface, replacing its cryptographic engine would be an extraordinarily complex, if not impossible, endeavor. This successful integration demonstrates how adherence to open standards can foster innovation and interoperability, ultimately benefiting end-users by making high-assurance cryptography accessible in mainstream applications like Firefox, potentially elevating the baseline for general web security expectations.

The wolfSSL Solution: wolfPKCS11 Powering NSS with FIPS-Certified wolfCrypt

The key to this enhanced security for Firefox is wolfPKCS11. This is wolfSSL’s robust implementation of the PKCS#11 API. The wolfPKCS11 module functions as an essential interface, or bridge, enabling applications that are designed to use the PKCS#11 standard (such as NSS) to access and utilize the comprehensive suite of cryptographic algorithms available within wolfSSL’s core cryptographic engine, wolfCrypt.

The integration leverages the “magic” of the PKCS#11 standard, which facilitates a “drop-in” replacement mechanism. NSS, by design, uses the PKCS#11 API to communicate with its default cryptographic library, which is softokn-freebl. The wolfPKCS11 module has been engineered to serve as a binary drop-in replacement for this default software security device. This means that, through modifications to configuration files rather than extensive code changes to Firefox itself, NSS can be directed to utilize wolfPKCS11. Consequently, all cryptographic calls from NSS are re-routed through wolfPKCS11 to the wolfCrypt engine. This elegant modularity, made possible by the PKCS#11 standard, significantly reduces the complexity and effort typically associated with integrating a new cryptographic provider into an established application like Firefox. The existence of this well-defined standard is a direct enabler of this relatively seamless integration path.

The true cryptographic power behind this solution resides in wolfCrypt, wolfSSL’s FIPS 140-3 validated cryptographic engine. wolfSSL has a distinguished history of achieving FIPS certifications, and wolfCrypt stands as a testament to this commitment, having attained FIPS 140-3 validation (the wolfCrypt module was one of the first in the world to receive a FIPS 140–3 Validation Certificate). It is this validation that imbues the Firefox integration with its robust security backbone and its capability to meet stringent compliance requirements. Beyond its FIPS validation, wolfCrypt is renowned for its exceptional performance, minimal footprint optimized for embedded systems, and extensive support for a wide array of cryptographic algorithms.

Seeing is Believing: FIPS-Powered Browsing (And Yes, It’s Real!)

It is understandable that FIPS-grade cryptography seamlessly operating within Firefox might sound almost too good to be true. To demonstrate that this is far more than just theoretical, it was even tested with some, shall we say, critical internet operations.

Caption: “Never Gonna Give Your Data Up: Firefox running with wolfSSL FIPS 140-3 security!”

Yes, that’s Firefox streaming a timeless classic. While the choice of content might be a playful rickroll, rest assured, the underlying FIPS 140-3 validated cryptography being provided by wolfPKCS11 and wolfCrypt is absolutely real and fully functional. If the system can handle real-world HTTPS traffic for streaming video (even this particular video), it is capable of many of today’s demanding browser use cases.

For those curious about how this appears “under the hood,” if one were to inspect Firefox’s security device manager, wolfPKCS11 would be visible as a loaded module.

As mentioned, this powerful capability is confirmed and working seamlessly within our internal development environments. While it is not yet available in a public wolfPKCS11 release or as a standard component of Firefox distributions, work is progressing towards that goal. Keep an eye on the wolfSSL blog and official announcements for future updates.

Beyond the Browser: wolfSSL’s Commitment to Pervasive FIPS Security

The work to bring FIPS 140-3 validated cryptography to Firefox via NSS and wolfPKCS11 is not an isolated endeavor. It is a significant component of a much broader strategic initiative within wolfSSL: to make FIPS-certified cryptography readily and easily accessible across a diverse range of platforms and ecosystems.

This vision extends to enabling FIPS compliance across entire Linux distributions. There are ongoing efforts to integrate the wolfCrypt FIPS module with other critical system libraries, such as libgcrypt and GnuTLS. The ultimate objective is ambitious yet vital: “achieving FIPS 140-3 compliance across an entire Linux distribution”. Such an achievement would establish a unified, trusted cryptographic layer, thereby simplifying compliance efforts and significantly enhancing the security posture for countless applications and systems built upon these foundational open-source components. This strategy of embedding FIPS-validated technology deep within core operating system and application components positions wolfCrypt as a fundamental building block for secure systems, potentially establishing it as a de facto standard for FIPS cryptography in open-source environments.

Furthermore, the wolfPKCS11 module itself is designed with the future in mind. It is an evolving component, with enhancements such as upcoming support for the Leighton-Micali Signature (LMS) scheme planned. LMS is a stateful hash-based signature scheme, standardized in RFC 8554 and approved by NIST SP 800-208, notable for its quantum-resistant properties. This demonstrates a proactive stance towards emerging security threats. The engineering investment in wolfPKCS11 is therefore not limited to current FIPS standards; it is also paving a pathway towards post-quantum cryptography. This means that the very same integration mechanism being used to deliver FIPS 140-3 validated cryptography to Firefox today could potentially deliver post-quantum security in the future, thanks to the flexible and standards-compliant design of wolfPKCS11.

Conclusion: Secure Your Firefox Experience, Trust wolfSSL

To summarize this exciting development: wolfSSL has successfully made FIPS 140-3 validated cryptography a practical reality for the Firefox browser. This has been achieved by integrating the wolfPKCS11 module with Firefox’s Network Security Services (NSS), thereby allowing Firefox to leverage the proven strength of the wolfCrypt FIPS-certified engine.

The benefits of this integration are manifold. It provides access to high-assurance, FIPS-validated security within one of the world’s leading web browsers. For organizations with FIPS compliance mandates, it offers a significantly simplified path to meeting those requirements for browser-based activities. All of this is delivered with the robust, performant, and resource-efficient cryptography that wolfSSL is known for.

This advancement is another clear testament to wolfSSL’s leadership in embedded security, cryptography, and FIPS validation. The commitment at wolfSSL is to provide cutting-edge, reliable security solutions that meet the evolving challenges of the digital world. This successful integration reinforces that commitment and highlights the dedication to enhancing security for users everywhere.

Get in Touch / Download wolfSSL

Stay tuned to our blog for updates on the public availability of this feature!

If you have questions about any of the above, or how wolfSSL can help secure your applications, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSL is thrilled to announce a significant achievement! Following receipt of our FIPS 140-3 validated certificate #4718 last July, wolfSSL completed the first update to that certificate. On May 16, 2025, the wolfSSL OEUP submission, encompassing a batch of 25 Operating Environments, received approval from the CMVP. The exceptional reviews provided by our trusted FIPS laboratory Aegisolve Inc. were critical to achieving this milestone, and they have our utmost gratitude! We invite all to review the updated details in our Security Policy Table 6, also provided below. This approval marks a major advancement in wolfSSL’s FIPS 140-3 efforts!

Operating System	Hardware Platform	Processors	PAA/PAI	Hypervisor or Host OS	Version(s)
Linux 4.4 (Ubuntu 16.04 LTS)	Intel Ultrabook 2 in 1	Intel Core i5-5300U CPU @2.30GHz x 4	Yes		v5.2.1
Linux 4.4 (Ubuntu 16.04 LTS)	Intel Ultrabook 2 in 1	Intel Core i5-5300U CPU @2.30GHz x 4	No		v5.2.1
Android 13	Samsung Galaxy XCover Pro	Exynos 9611 without PAA	No		v5.2.1
Linux 5.4	WTM 4100	Broadcom BCM56260B0IFSBG – Saber2	No		v5.2.1
RedHat Enterprise Linux Workstation 8.9	Precision 5820 Tower	Intel® Xeon® W-2255 @ 3.7GHz	No		v5.2.1
FreeRTOS v10.4	Network Interface Card for Aclara RF	Renesas R7FA6E10F	No		v5.2.1
Linux 5.15	iSTAR physical access controller	Freescale i.MX7 Dual Arm Cortex A-7	No		v5.2.1
Linux 4.14	Ricoh IM C3010	Intel® Atom® E3930 @1.30GHz	No		v5.2.1
Linux 4.14	Ricoh IM C4510	Intel® Atom® E3940 @1.60GHz	No		v5.2.1
NET+OS v7.6	Spectrum Infusion System	Digi International NS9210	No		v5.2.1
Yocto (kirkstone) 4.0	Novum IQ Infusion Platform	NXP i.MX6UL	No		v5.2.1
MQX 3.4	FEI-Zyfer Time and Frequency System	NXP PowerQUICC II MPC8313e 32bit	No		v5.2.1
CodeOS v1.4	Series CR2700 Code Reader(s)	CodeCorp CT8200 (ARM FA626TE)	No		v5.2.1
OpenRTOS v10.5	Teledyne Webb SOM Module	STM32L4R5	No		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 2144	Intel® Xeon® Silver 4316 CPU @2.30GHz	No		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 2144	Intel® Xeon® Silver 4316 CPU @2.30GHz	Yes		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 2184	Intel® Xeon® Gold 6338N CPU @2.20GHz	No		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 2184	Intel® Xeon® Gold 6338N CPU @2.20GHz	Yes		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 94C8	Intel® Xeon® Gold 5418N CPU @1.80GHz	Yes		v5.2.1
Endace Crypto Firmware 2.1	EndaceProbe 92C8	Intel® Xeon® Gold 6230N CPU @2.30GHz	Yes		v5.2.1
Anyware Trusted Zero Client Firmware Kernel 6.1	Anyware Trusted Zero Client	AMD Ryzen Embedded R1305G	No		v5.2.1
Anyware Trusted Zero Client Firmware Kernel 6.1	Anyware Trusted Zero Client	AMD Ryzen Embedded R1305G	Yes		v5.2.1
Anyware Trusted Zero Client Firmware Kernel 6.1	HP tz655 Trusted Zero Client	AMD Ryzen Embedded R2314	Yes		v5.2.1
Fusion Embedded RTOS 5.0	Classone ® IP Radio Gateway	Analog Devices ADSP-BF516 (Blackfin)	No		v5.2.1
Linux 5.4	Harman MUSE MU Controller	NXP i.MX8M	No		v5.2.1
Linux 4.9	Harman N2612S Video encoder/decoder	ARM Cortex-A7	No		v5.2.1
Linux 5.10	Harman N4321D audio transcoder	NXP i.MX8	No		v5.2.1

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

This is an update to previous post wolfSSL Inc. SP800-140C and Post-Quantum efforts update!

The National Institute of Standards and Technology (NIST) has recently updated its guidelines, enabling the certification of several post-quantum cryptographic algorithms through the Cryptographic Module Validation Program (CMVP). Notably, the digital signature algorithms ML-DSA (CRYSTALS-Dilithium), SLH-DSA, LMS, and XMSS are now fully certifiable under the updated SP800-140C standards. Similarly ML-KEM (CRYSTALS-Kyber) is fully certifiable under the updated SP800-140D standards!

In response to these developments, wolfSSL Inc. is proactively planning submissions to the CMVP for all except SLH-DSA. (If you would like to see SLH-DSA included please let us know sooner than later before we submit!)

wolfSSL Inc. has a strong track record in cryptographic module validation, having previously achieved FIPS 140-3 Certificate #4718 for its wolfCrypt Module, the world’s first SP 800-140Br1 validated certificate.

By staying ahead of regulatory changes and actively engaging in the certification process, wolfSSL continues to demonstrate its commitment to providing robust and compliant cryptographic solutions in the evolving landscape of post-quantum security.

As a reminder, be sure the January 1st, 2026 ESV soft transition does not catch you unprepared. The deadline for mandatory ESV validation across all FIPS modules is rapidly approaching. Leverage wolfSSL’s proven expertise to navigate this critical shift. Engage our staff now to architect a robust roadmap and guarantee a successful post-2026 FIPS compliance strategy!

We’d love to hear your feedback or input on this subject please do not hesitate to contact us at support@wolfSSL.com or fips@wolfSSL.com anytime!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

In the rapidly changing landscape of cybersecurity, ensuring compliance with rigorous standards like FIPS 140-3 is essential for organizations in sensitive sectors such as government, finance, and healthcare. By integrating FIPS-certified cryptography into Mozilla’s Network Security Services (NSS) library through the PKCS#11 standard—an API for cryptographic operations—we are contributing to a broader goal of achieving FIPS 140-3 compliance across an entire Linux distribution.

Firefox employs the NSS library for its cryptographic functions. The NSS library utilizes the PKCS#11 standard—a widely adopted application programming interface (API) that enables secure cryptographic operations—to interact with its default cryptographic library, freebl.

The Role of FIPS Certification

FIPS certification ensures that cryptographic implementations meet rigorous security standards set by the National Institute of Standards and Technology (NIST). Achieving FIPS compliance is vital for organizations requiring high-security assurance, as it validates the integrity and reliability of cryptographic operations. wolfCrypt has attained FIPS 140-3 certification, making it a robust choice for environments where security cannot be compromised.

Integrating wolfCrypt into NSS

To integrate wolfCrypt into NSS, we substitute the default softokn-freebl library with wolfPKCS11. This enables NSS to utilize wolfCrypt’s FIPS-certified algorithms through the PKCS#11 interface, allowing applications to leverage secure cryptographic functions seamlessly and efficiently. By utilizing the PKCS#11 interface, we are able to provide a binary drop-in replacement without modifying anything outside of configuration files. You can follow our progress over at the nss feature branch in the wolfPKCS11 repository at github.

Benefits Beyond Firefox

This initiative is part of a larger effort to provide FIPS-certified cryptography across entire Linux distributions. Similar projects include integrating wolfCrypt with libraries such as libgcrypt and GnuTLS. These efforts aim to create a uniform cryptographic layer, reducing complexity and potential vulnerabilities associated with managing multiple cryptographic libraries.

For more information or to explore how your organization can benefit from integrating wolfCrypt FIPS, contact our team at facts@wolfssl.com or call us at +1 425 245 8247.

Download wolfSSL Now

We’re excited to announce our ongoing work integrating wolfCrypt with GnuTLS! Unlike traditional approaches that require extensive application rewrites, our solution operates entirely behind the scenes. By patching GnuTLS at the library level, we’re creating a seamless path for applications to leverage wolfCrypt’s powerful cryptographic capabilities without changing a single line of their application code. Our development strategy focuses on progressive implementation, tackling core cryptographic operations first and methodically expanding to cover the complete security spectrum. This approach means organizations can benefit from enhanced security immediately, with more capabilities rolling out steadily. For teams working in regulated environments requiring FIPS certification, this integration offers a remarkable advantage and immediate access to wolfCrypt’s FIPS 140-3 certified algorithms without the typical development and certification marathon.

What makes this integration particularly significant is GnuTLS’s central role in secure communications infrastructure. Our approach aims to transform what would typically be a massive certification challenge into a straightforward library update, allowing organizations to achieve FIPS compliance without disrupting their existing architecture. For Linux distribution maintainers, this integration will eliminate the traditional compromise between security and compatibility when deploying certified cryptography. Certificate validation and protocol handling will continue through the familiar GnuTLS interface while benefiting from wolfCrypt’s certified implementation underneath. Our goal is to help reduce the time needed for certification processes, enabling organizations to more efficiently deploy secure communications in regulated environments without compromising on compatibility or performance.

Take a more in depth look here: https://github.com/wolfssl/gnutls-wolfssl

For more details or questions about this effort, please reach out to facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

wolfCrypt Python, a Python wrapper for wolfSSL’s cryptographic library wolfCrypt, now has supported Python APIs that can utilize the PQC algorithms ML-KEM and ML-DSA.

The ML-KEM (Module Lattice-based Key Encapsulation Mechanism) APIs provide quantum-resistant key exchange with three parameter sets (512/768/1024). The implementation includes key generation, encapsulation, decapsulation, and key import/export functionality.

The ML-DSA (Module Lattice-based Digital Signature Algorithm) APIs provide quantum-resistant digital signatures with three parameter sets (44/65/87). Features include key generation, signing, and verification.

Using the Python API, you can try out the PQC algorithm quickly with little effort. The following links show information to start the PQC trials with wolfCrypt Python.

• Installation guide: https://github.com/wolfSSL/wolfcrypt-py/blob/master/README.rst
• Examples: https://github.com/wolfSSL/wolfcrypt-py/blob/master/docs/asymmetric.rst
• Source code: https://github.com/wolfSSL/wolfcrypt-py/blob/master/wolfcrypt/ciphers.py

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now

We are pleased to announce the start of an official wolfSSL project to port wolfCrypt FIPS into libgcrypt. This initiative aims to replace the underlying cryptography in applications using libgcrypt with wolfCrypt’s certified algorithms. With wolfCrypt already achieving FIPS 140-3 certification, applications using libgcrypt’s API can immediately be deployed in environments that require certified cryptography, such as government, military, finance, and medical applications. This port not only enhances security but also saves developers significant time and effort. For developers, this integration means they can focus on building their applications without the burden of transitioning applications to meet cryptographic compliance. By using wolfCrypt, developers can ensure that their applications meet the highest security standards without the need for extensive testing and validation of multiple cryptographic libraries. This project also provides a seamless way to explore and evaluate wolfCrypt for future projects, offering a pathway to potentially transition applications to natively use wolfCrypt.

Furthermore, this effort has significant implications for Linux distributions, which often incorporate a wide array of cryptographic dependencies, such as libgcrypt, to provide comprehensive functionality to many packages. By ensuring that all cryptographic dependencies use a consistent cryptography provider like wolfCrypt, distributions can maintain uniform security standards across the entire system and applications. This consistency is crucial for reducing complexity and potential vulnerabilities that arise from using multiple cryptographic libraries. It simplifies the management of cryptographic standards and reduces the risk of incompatibilities or security gaps, particularly in environments where security and compliance are paramount.

Take a deeper look here: https://github.com/wolfSSL/libgcrypt-wolfssl/tree/libgcrypt-1.11.0-wolfCrypt

For more details or questions about this effort, please reach out to facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

This is an update to previous post Everything wolfSSL is Preparing for Post-Quantum as of Spring 2024 and an extension to post wolfSSL Support for Post-Quantum.

The National Institute of Standards and Technology (NIST) has recently updated its guidelines, enabling the certification of several post-quantum cryptographic algorithms through the Cryptographic Module Validation Program (CMVP). Notably, the digital signature algorithms ML-DSA (CRYSTALS-Dilithium), LMS, and XMSS are now fully certifiable under the updated SP800-140C standards.

In response to these developments, wolfSSL Inc. is proactively planning submissions to the CMVP for these algorithms. wolfSSL Inc. has a strong track record in cryptographic module validation, having previously achieved FIPS 140-3 Certificate #4718 for its wolfCrypt Module, the world’s first SP 800-140Br1 validated certificate.

While ML-KEM (CRYSTALS-Kyber) is not yet included in the approved security function list of SP 800-140C, wolfSSL is taking a forward-thinking approach by incorporating ML-KEM into its offerings. This strategic inclusion ensures that once ML-KEM receives approval and is certifiable, wolfSSL will be prepared to submit all four algorithms, ML-DSA, LMS, XMSS, and ML-KEM, for certification.

By staying ahead of regulatory changes and actively engaging in the certification process, wolfSSL continues to demonstrate its commitment to providing robust and compliant cryptographic solutions in the evolving landscape of post-quantum security.

Please don’t hesitate to contact us at support@wolfSSL.com or fips@wolfSSL.com anytime to share your feedback or input on this subject!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

When it comes to securing data, cryptographic algorithms are the backbone of many systems. 3DES (Triple Data Encryption Standard) was once a FIPS (Federal Information Processing Standards) algorithm but is no longer supported by NIST as of 1 Jan 2024 (over 1 year ago!) Having 3DES in a FIPS module today could spell trouble on the near horizon, not only for security but also for compliance.

Early Expiration of Certificates

A FIPS certificate comes with an expiration date, but the CMVP has the authority to move a certificate to the “historical list” before that date or to “Revoke” a certificate if a non-compliance issue is found. Either action makes the certificate no longer valid for new procurements or for use in certain scenarios if already deployed in the field. The CMVP exercised this authority during the transition from SP 800-56Arev[1,2] to SP 800-56Arev3, which tightened the standards for key establishment methods. Modules that did not meet the updated criteria by July of 2022 were moved to the historical list ahead of their expected expiration dates.

The same could happen with certificates that include 3DES now. Should the CMVP decide to enforce a hard transition on 3DES, any certificate with that algorithm could be revoked or made historical sooner than its listed expiration date. This means one could suddenly lose compliance, disrupting operations and requiring urgent updates to systems which can take many months or years to complete as anyone in the FIPS space is well aware.

An Example of Future-Proofing

An excellent example of future-proofing is the wolfSSL FIPS 140-3 module certificate #4718. Unlike many competing solutions, wolfSSL ensured that 3DES was not included in the boundary of this module. This proactive decision protects users of the wolfSSL Inc. wolfCrypt FIPS 140-3 module from the risks associated with 3DES and potential early certificate invalidation by the CMVP. By contrast, most of the competition did not do this future planning and still include 3DES in their boundary. This leaves users of those modules exposed to potential compliance issues and security risks.

What Should You Do?

1. Avoid 3DES in New Designs: Choose FIPS modules that use stronger algorithms like AES. Ensure your vendors are aware of the risks and are providing compliant solutions.
2. Audit Your Current Systems: If you’re already using a FIPS-certified module with 3DES, plan to migrate to a more secure alternative or re-validate that module without 3DES included in the boundary. Don’t wait for the CMVP to force your hand.
3. Stay Informed: Keep an eye on updates from NIST and the CMVP. Understanding upcoming changes can help one with planning and preparing before CMVP decisions impact their systems.
4. Test Your Transition Plans: Ensure that moving away from deprecated algorithms like 3DES won’t cause unexpected issues. Test thoroughly in a controlled environment.

Conclusion

3DES served its purpose in its time, but it is simply a liability now. If your systems rely on a FIPS certificate that includes 3DES, it’s time to act. By planning ahead and staying informed, you can ensure your systems remain secure and compliant, no matter what changes the CMVP enforces. Choosing solutions like wolfSSL’s FIPS 140-3 module, which proactively excludes outdated algorithms, can give you peace of mind and protect you from future disruptions.

If you have any questions or would like to talk with one of our team about this subject please send an email to fips@wolfssl.com or support@wolfssl.com. For general inquiries, you can also reach out to facts@wolfssl.com or +1 425 245 8247. Our staff are more than happy to help any way they can.

Download wolfSSL Now