What is FIPS 140-3?

Federal Information Processing Standards (FIPS) 140-3 is a mandatory standard for the protection of sensitive or valuable data within Federal systems.

FIPS 140-3 is an incremental advancement of FIPS 140-2, which standardized on the ISO 19790:2012 and ISO 24759:2017 specifications. Historically, ISO 19790 was based on FIPS 140-2, but has continued to advance since that time. FIPS 140-3 will now point back to ISO 19790 for security requirements. Keeping FIPS 140-3 as a separate standard will still allow NIST to mandate additional requirements on top of what the ISO standard contains when needed.

Among the changes for FIPS 140-3 are conditional algorithm self-tests, where the algorithm self-tests are only performed if used. The pre-operational self-test is now faster, as all the algorithms are not tested until needed. This helps with startup times as the public key self-testing can be time consuming. The self tests can be run at appropriate times for your application startup. Also, there is additional testing of the DRBG entropy sources.

Why is FIPS 140 Important?

FIPS Validated 140-3

Federal agencies purchasing cryptographic-based security systems must confirm an associated FIPS 140-3 certificate exists.

This procurement “check-box” item is a deal breaker. Vendor claims of “designed for FIPS” or “FIPS ready” do not pass this hurdle. Also, be careful with claims of vendor affirmation, as it is frequently a red flag for federal buyers.

No FIPS certificate = No sale

Federal buyers and auditors will also confirm FIPS validation by confirming a match between your certificate's operational environment listings and your product. 

What is the status of the wolfSSL FIPS and CAVP validation efforts?

wolfSSL is currently the leader in embedded FIPS certificates. The wolfCrypt module holds the world’s first SP800-140Br1-compliant FIPS 140-3 Validation Certificate. We also maintain ongoing support for two historical FIPS 140-2 certificates for the wolfCrypt Cryptographic Module: #2425 and #3389 (services for product in the field is ongoing). Certificate #3389 includes algorithm support required for TLS 1.3 and can be used in conjunction with the wolfSSL embedded SSL/TLS library for full TLS 1.3 client and server support. Additionally, wolfSSL has obtained FIPS 140-3 Validated Certificate #4718. Learn more about FIPS 140-3 in our blog post.

wolfSSL also supports the new ACVP (Automated Cryptographic Validation Protocol), which is the successor to the two decade old CAVP system from NIST.  ACVP is intended to alleviate the manual steps of the older CAVP process, creating a more efficient and effective method for cryptographic algorithm testing and validation.  Learn more about ACVP in our blog posts here and here.

For additional information contact us at fips@wolfssl.com

wolfCrypt FIPS 140-3 Level 1 Certificate #4718

Historical cert list:
wolfCrypt v4 FIPS 140-2 Level 1 Certificate #3389
wolfCrypt FIPS 140-2 Level 1 Certificate #2425

For a full list of currently validated Operating Environments, please see the section below.

I am a Techie. What is so great about the wolfCrypt FIPS module?

wolfCrypt is a cryptographic software API library. Your application may rely on wolfCrypt to provide all of the cryptographic processing. Instead of performing your own FIPS validation, you may claim that you are using an embedded FIPS cryptographic module. This will make your Federal customers happy.

wolfCrypt is compliant with FIPS 140-3 Implementation Guidance 9.10. We implemented a default entry point to run self-tests automatically. The FIPS OpenSSL module does not provide a default entry point.

wolfCrypt FIPS Boundary Design

wolfSSL has defined the wolfCrypt FIPS boundary specifically around a subset of the wolfCrypt algorithms such that it is easy and painless to update to new wolfSSL releases while maintaining an existing wolfCrypt FIPS validation. Most bugs and vulnerabilities happen in the SSL/TLS layer code - outside the cryptographic module code itself. With the FIPS boundary drawn around only the wolfCrypt cryptography algorithms, this allows users to update to newer versions of the wolfSSL SSL/TLS code and keep the same validated wolfCrypt FIPS code underneath. With a current wolfSSL support package in place, our FIPS customers receive new wolfSSL SSL/TLS release bundles packaged with their existing validated version of wolfCrypt, making it easy to stay secure and up to date!

Can I get a FIPS certificate in my company’s name?

Yes. You have the option of rebranding the wolfCrypt module and NIST will issue a FIPS 140-3 certificate in your company’s name. Your sales team will thank you.

How can wolfSSL help me?

At wolfSSL, our security experts have the FIPS expertise you need. We will form a FIPS strategy that is best for you, optionally including on-site FIPS consulting! Before you search for a FIPS Consultant or begin calling several of the 22 FIPS Laboratories, contact us.  We can save you time, money, and effort.

wolfSSL FIPS Ready

wolfSSL also provides support for a wolfCrypt FIPS Ready version of the library! wolfCrypt FIPS Ready is our FIPS enabled cryptography layer code included in the wolfSSL source tree that you can enable and build. You do not get a FIPS certificate, you are not FIPS approved, but you will be FIPS Ready. FIPS Ready means that you have included the FIPS code into your build and that you are operating according to the FIPS enforced best practices of default entry point, and power on self test.

wolfCrypt FIPS Ready can be downloaded from the wolfSSL download page located here: https://www.wolfssl.com/download/. More information on getting set up with wolfCrypt FIPS Ready can be found in our FIPS Ready User Guide.

Currently Validated Operating Environments

wolfCrypt has been validated on a number of Operating Environments (OEs). The current validated OE list for both wolfCrypt FIPS certificates (#2425 and #3389) are listed here for reference.  wolfSSL can easily add additional OEs to existing wolfCrypt FIPS certificates. To learn more about this process, contact us today!

Certificate #3389 Current OE List:

Operating SystemProcessorPlatform
OpenRTOS v10.1.1STM32L4RxSTMicroelectronics STM32L4R9I-DISCO (Discovery Kit)
HP Imaging & Printing Linux 4.9ARMv8 Cortex-A72/A53HP PN 3PZ95-60002
Windows 10 EnterpriseIntel® Core™ i7-7820 x4Radar FCL Package Utility
Linux socfpga cyclone VArmv7 rev 0, Cortex A-9SEL 2700 Series 24-Port Ethernet Switch
Fusion Embedded RTOS 5.0Analog Devices ADSP-BF516 (Blackfin)Classone ® IP Radio Gateway
Linux 4.12 Yocto StandardFreescale i.MX6 DualLite ARMv7 Cortex-A9 x2Metasys® SNC Series Network Control Engine
Nucleus 3.0 version 2013.08.1Freescale Vybrid VF500XL200 Radio
CodeOS v1.4CT8200 (ARM FA626TE)HP ProLiant DL360
Linux 4.14Armv8 Cortex-A53SEL-2742S
CMSIS-RTOS v2.1.3Silicon Labs EFM32GAlto™
Windows CE 6.0ARM Cortex-A8HP LaserJet Enterprise
QNX 6.6NXP i.MX 6SoloX Arm® Cortex®-A9Zebra ZT610
QNX 7.0NXP i.MX7 Arm® Cortex®-A7 (x2)Zebra ZD621
QNX 6.5NXP i.MX25 Arm9™Zebra ZQ630
QNX 7.0NXP i.MX 6ULL Arm® Cortex®-A7Zebra ZT421
SUSE Linux Enterprise hosted in Hypervisor Vmware ESXi 6.7.0Intel® Xeon® E-2234Dell PowerEdge T340
Linux 4.14Dual ARM Cortex A9Lenovo XClarity Controller
Swoop Kernel 1.5Xilinx Zynq Ultrascale+ XCZU9EG™Skipper
Windows Server 2016Intel® Xeon® E5-2603Dell PowerEdge R430
NET+OS v7.6NS9210Sigma IV Infusion Pump
Windows 10 ProIntel® Core™ i7-7600ULenovo Thinkpad T470
Windows Server 2019Intel® Xeon® Silver 4116 (x24)HPE ProLiant DL360
Android 11Qualcomm Snapdragon 865 (SoC)Samsung Galaxy S20 5G
Linux 5.4Freescale i.MX7 Dual ARM® Cortex-A7iSTAR physical access controller
Linux 5.4Intel® Xeon® E-2244GDell PowerEdge R340 Rack Server
Linux 4.12Intel® Core™ i3-7101HP PageWide XL
Linux 4.9Freescale i.MX7 Dual ARM® Cortex-A7ZOLL Communications Module
NetBSD v6.0.1Intel(R) Atom(R) E3930RICOH IM C2500
NetBSD v6.0.1Intel(R) Atom(R) E3940RICOH IM C6000
Android 6.0 (Linux 4.1)Freescale i.MX6 Quad/DualLiteRICOH IM C6000
iOS 14Apple A14 BioniciPhone 12
Android 8.1 (Linux 4.4)Qualcomm Snapdragon 835 (APQ8098 / MSM8998)EchoNous Kosmos® Bridge
CentOS Linux 7.9 on VMware ESXi 6.7Intel® Xeon® X5650 @2.67GHzHP ProLiant DL360
Linux 3.10 (CentOS 7) Intel® Atom™ CPU D525 @1.80GHzBeckman Coulter PROService RAP BOX
Yocto (dunfell) 3.1AMD GX-412TC SoCLinkGuard
Linux 5.4Intel® Xeon® Gold 5218 CPU @ 2.30GHzLiveAction LiveNX Appliance
Windows 10 ProIntel® Core™ i7-1255U @1.70 GHzDell Precision 3570
FreeBSD 10.3 on VMWare ESXi 7.0Intel® Xeon® Silver 4210 @2.20GHzSupermicro X11DPH-i (vnc-wolf)
Linux 5.15 on VMWare ESXi 7.0Intel® Xeon® Silver 4210 @2.20GHzSupermicro X11DPH-i (sdlc-wolf)
Debian GNU/Linux 8 (jessie)Broadcom BCM5634Corning 1LAN-SDDP-24POE (onl-armel)
Linux IPHO00550F22 4.1Broadcom BCM6858Corning 1LAN-SDAN-7691 (bcm6858x)
Debian GNU/Linux 8 (jessie)Intel® Atom™ C2558 @ 2.40GHzufiSpace Cloud and Data Center Switch S7810-54QS (onl-x86_64)
Linux IPHO00559B23 3.4Broadcom BCM6838Corning 1LAN-SDAN-7290 (bcm683xx)
VxWorks 7 SR0630Intel® Core™ i7-5850EQ @2.70GHzF-16 WASP
macOS Monterey 12.5Intel® Core™ i7-8569U @2.80GHzMacBook Pro
macOS Monterey 12.5Apple M1 MaxMacBook Pro
Windows 11 EnterpriseIntel® Core™ i7-10610U @1.80GHzDell Latitude 7410
Endace Crypto Firmware 1.0Intel® Xeon® Silver 4316 CPU @2.30GHzEndaceProbe 2144
macOS Monterey 12.5Apple M1MacBook Air
Vortec SchedulerStarCore SC3850 DSPAvaya MP160
VxWorks 7NXP T1024G450 Media Gateway
VxWorks 6.9NXP MPC8650G430 Media Gateway
VxWorks 6.9TNETV1050Sectéra vIPer™ Phone
VxWorks 5.5Marvell Poncat2 Sheeva™ML6416E
Janteq Zynq Linux 5.4Xilinx Zynq-7000 SoCAviTr3
Janteq Zynq Linux 4.19Xilinx Zynq Ultrascale+Bronte3
Janteq S5L Linux 4.9Ambarella S5L SoCMaximo
Endace Crypto Firmware 1.0Intel® Xeon® Gold 6338N CPU @2.20GHzEndaceProbe 2184
Endace Crypto Firmware 1.0Intel® Xeon® Gold 5418N CPU @1.80GHzEndaceProbe 94C8
Endace Crypto Firmware 1.0Intel® Xeon® Gold 6230N CPU @2.30GHzEndaceProbe 92C8
Janteq iMX8QM Linux version 5.4i.MX8 Quad Max SoCFlip2
Android 13QualComm SnapDragon 8 SoCSamsung Galaxy S22

Certificate #2425 Current OE List:

Operating SystemProcessorPlatform
Linux 3.13 (Ubuntu)Intel® Core™ i7-3720QM CPU @2.60GHz x 8HP EliteBook
iOS 8.1Apple™ A8iPhone™ 6
Android 4.4Qualcomm Krait 400Samsung Galaxy S5
FreeRTOS 7.6ST Micro STM32FuTrust TS Reader
Windows 7 (64-bit)Intel® Core™ i5Sony Vaio Pro
Linux 3.0 (SLES 11 SP4, 64-bit)Intel® Xeon® E3-1225Imprivata OneSign
Linux 3.0 (SLES 11 SP4, 64-bit) on Microsoft Hyper-V 2012R2 CoreIntel® Xeon® E5-2640Dell® PowerEdge™ r630
Linux 3.0 (SLES 11 SP4, 64-bit) on VMWare ESXi 5.5.0Intel® Xeon® E5-2640Dell® PowerEdge™ r630
Windows 7 (64-bit) on VMWare ESXi 5.5.0Intel® Xeon® E5-2640Dell® PowerEdge™ r630
Android Dalvik 4.2.2NXP i.MX6 MXT?700?NC 7” touch
panel
Linux 4.1.15NXP i.MX5NX?1200 NetLinx NX
Integrated Controller
Debian 8.8Intel Xeon® 1275v3CA PAM 304L Server
Windows Server 2012R2Intel® Xeon® E5335CA Technologies
PAMHAF995
Windows 7 Professional SP1Intel® Core™ i7?2640MDell™ Latitude™ E6520
Debian 8.7.0Intel ® Xeon® E3 Family with SGX supportIntel® x64 Server System
R1304SP
Windows 10 ProIntel ® Core ™ i5 with SGX supportDell™ Latitude™ 7480
NET+OS v7.6 Digi International NS9210Sigma IV infusion pump
Linux 4.4 (SLES 12 SP3, 64?
bit) on Microsoft Hyper?V
2016 Core
Intel® Xeon® E5?2650Dell® PowerEdge™ r720
Linux 4.4 (SLES 12 SP3, 64?
bit) on VMWare ESXi 6.5.0
Intel® Xeon® E5?2403Dell® PowerEdge™ r420