What is FIPS 140, and what do its four levels mean?
FIPS 140 = Federal Information Processing Standard, the US NIST publication that certifies cryptographic hardware/software modules. Levels 1–4 escalate from basic algorithm correctness to physical tamper-resistance.
* FIPS 140's tamper-resistance ladder: each level adds physical protection, from just using approved crypto (L1) to surviving environmental attack (L4). *
| Level | What it certifies |
|---|---|
| Level 1 | A reviewed algorithm or "bestätigte Sicherheitsfunktion" is used (e.g., AES, not home-grown crypto) |
| Level 2 | Adds basic tamper-detection (e.g., evidence stickers, locks) |
| Level 3 | Tamper-resistance: the module withstands physical attack to keep keys safe |
| Level 4 | Tamper-resistance even in hostile environments (extreme temperature, voltage attacks, EMI) — used for unattended high-value devices |
FIPS 140-2 and 140-3 are the current revisions (140-3 was published 2019 and aligns with ISO/IEC 19790).
Why this matters: US federal agencies are legally required to use FIPS-validated crypto. Companies selling into US government must therefore source FIPS-validated modules (e.g., FIPS-validated OpenSSL, smart cards, HSMs). The validation list is at csrc.nist.gov/projects/cryptographic-module-validation-program.
Tip: "FIPS-compliant" ≠ "FIPS-validated." A product can use FIPS-approved algorithms (compliant) without ever submitting a module for the lab evaluation (validated). Validation costs €100k+ and takes 12–24 months — only the validated ones can be sold to US federal customers.
Go deeper:
FIPS 140 (Wikipedia) — the four security levels and the shift from FIPS 140-2 to 140-3 (ISO/IEC 19790).
NIST Cryptographic Module Validation Program (CMVP) — the validation programme and searchable list of FIPS-validated modules.