wolfSSL Inc. is very pleased to announce our wolf pack has successfully hunted down and captured the ever elusive FIPS 140-3 certificate! The world’s first automated submission (SP800-140Br1) FIPS 140-3 validated certificate #4718 [1] posted to the NIST website on July 11th 2024, valid through July 10th, 2029!

“wolfSSL remains focused on enhancing our technologies and expanding capabilities. We are dedicated to continuous innovation in security. The advancements in our FIPS 140-3 module highlight our commitment to delivering state-of-the-art cryptographic solutions that meet the rigorous demands of today’s cybersecurity landscape.” Stated wolfSSL CTO, Todd Ouska.

We are thrilled to work with ÆGISOLVE, INC. on this journey. The wolfSSL team is grateful for the ÆGISOLVE staff’s hard-work and dedication in realizing the very first SP800-140Br1 140-3 certificate in the world! A note from the ÆGISOLVE team:

Highlights

• Boot Times
    - wolfCrypt FIPS 140-2, power-on times could be slower due to mandatory self-tests
    - wolfCrypt FIPS 140-3 requires self-tests only at the first algorithm use or during a slower event cycle
      + faster boot times
      + optimal power and resource consumption with careful planning!

• Design
    - The wolfCrypt FIPS 140-3 validated module is the only commercial FIPS solution tailored for embedded
    - Emphasis on a minimal footprint, low resource use, reduced power consumption, and high performance for standard and real time systems
    - Design leads to superior scalability across devices, from mobile to server
    - 2-3 times more connections per device at 15-20% better performance than competing solutions.

• OpenSSL Replacement
    - Compatibility [2]
    - Engine [3]
    - Provider [4]

• Embeddability
    - Embedded Systems (Medical, networking, sensors, security systems, etc.)
    - Extended Battery life and high performance
    - Hardware Encryption Support
    - Assembly Acceleration

Changes from the historic wolfCrypt FIPS 140-2 cert #3389 to the active wolfCrypt FIPS 140-3 cert #4718:

• CAST (conditional algo self tests)

• KDF-TLS, TLS v1.2 KDF and TLSv1.3 KDF

• SSH KDF

• AES-OFB mode

• RSA 3072, 4096 and PSS

• New Degraded mode of operation in the event of a CAST failure other algorithm services will remain available.

For more about what FIPS is please checkout these blogs:

What is FIPS (long version): https://www.wolfssl.com/fips-long-version/
What is FIPS (short version): https://www.wolfssl.com/fips-short-version/
Webinar: Everything You Need To Know About FIPS 140-3: https://www.wolfssl.com/live-webinar-ev … ips-140-3/

For information on transitioning from 140-2 to 140-3 please checkout our blog: What is the difference between FIPS 140-2 and FIPS 140-3? (https://www.wolfssl.com/difference-fips … ips-140-3/)

Algo cert Link: https://csrc.nist.gov/projects/cryptogr … tion=36918
Security Policy Link: https://csrc.nist.gov/CSRC/media/projec … sp4718.pdf
Ref: Section 2.5 Algorithms
Ref: Section 2.2 Table 6 “Tested Operational Environments – Software, Firmware, Hybrid”
Cert #4718 Link: https://csrc.nist.gov/projects/cryptogr … icate/4718

For questions, comments or feedback please contact the wolfSSL team anytime at fips@wolfssl.com.

[1] https://csrc.nist.gov/projects/cryptogr … icate/4718
[2] https://www.wolfssl.com/documentation/m … ter13.html
[3] https://www.wolfssl.com/documentation/m … olfengine/
[4] https://www.wolfssl.com/openssl-3-0-pro … on-fips-2/