FIPS 140-3 Cryptographic Validation

Federal-grade cryptography validated by NIST-accredited labs - test it in 3 minutes

🚀 Verify FIPS compliance now

Quick Start: Verify FIPS-Validated Algorithms

Estimated time: 3 minutes What you'll verify: AnkaSecure uses FIPS 140-2/140-3 validated cryptographic libraries Requirements: AnkaSecure API access

Step 1/2: Check cryptographic provider (1 minute)

# Query platform information
curl https://api.ankatech.co/platform/info \
  -H "Authorization: Bearer $TOKEN"

✅ Expected response:

{
  "platform": "AnkaSecure",
  "version": "3.0.0",
  "cryptoProvider": {
    "name": "Bouncy Castle FIPS",
    "version": "1.0.2.5",
    "fipsMode": true,
    "fipsCertificate": "Certificate #4616",
    "validationDate": "2024-03-15"
  },
  "drbg": {
    "algorithm": "Hash_DRBG",
    "hashFunction": "SHA-256",
    "standard": "NIST_SP_800_90A_REV1",
    "securityStrength": "256-bit"
  }
}

Key validation: fipsMode: true confirms FIPS-validated provider in use

Step 2/2: Test FIPS-approved algorithm (2 minutes)

# Encrypt with FIPS-approved ML-KEM-1024
curl -X POST https://api.ankatech.co/encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "algorithm": "ML_KEM_1024",
    "plaintext": "FIPS-validated quantum-resistant encryption"
  }'

✅ Success: Data encrypted with NIST FIPS 203 algorithm

{
  "ciphertext": "eyJhbGc...",
  "algorithm": "ML_KEM_1024",
  "fipsCompliant": true,
  "cavpCertificate": "A1234"
}

🎯 Verified: AnkaSecure uses FIPS-validated crypto for all operations

What's next? - Test all FIPS algorithms: Full algorithm test suite (below) - Generate compliance report: Compliance evidence for audits - Federal procurement: GSA PQC requirements

What is FIPS 140-3?

Federal Standard for Cryptographic Modules

FIPS 140-3 = Federal Information Processing Standard Publication 140-3

Purpose: Validates cryptographic modules used by federal agencies and contractors

Who needs it: - ✅ Federal agencies: Required for all government systems (FISMA compliance) - ✅ Federal contractors: Required for DoD, intelligence, civilian contracts - ✅ Regulated industries: Required for PCI DSS Level 1 (payment processors) - ✅ Healthcare: Required for HIPAA-covered entities using encryption

What it validates: - Cryptographic algorithms (AES, RSA, ML-KEM, etc.) - Random number generators (DRBG) - Key management (generation, storage, zeroization) - Physical security (tamper detection, access controls)

FIPS 140-3 Security Levels

Level 1: Software Module (AnkaSecure Current)

Requirements: - ✅ FIPS-approved algorithms (CAVP tested) - ✅ Approved random number generator (DRBG) - ✅ Self-tests (power-up, conditional) - ❌ No physical security requirements

AnkaSecure status: ✅ FIPS 140-2 Certificate #4616 (Bouncy Castle provider)

Suitable for: Most applications (cloud services, SaaS, standard encryption)

Level 2: Physical Tamper-Evidence

Additional requirements: - ✅ Tamper-evident seals - ✅ Role-based authentication - ❌ No active tamper detection

AnkaSecure support: Via SoftHSM or customer-provided HSMs

Level 3: Physical Tamper-Detection (High-Security)

Additional requirements: - ✅ Active tamper detection (zeroization on breach) - ✅ Identity-based authentication - ✅ Physical access controls

AnkaSecure support: Via Luna HSM, nShield HSM integration

Use case: TOP SECRET data, defense systems, financial wire transfers

Level 4: Complete Physical Protection

Requirements: - ✅ Active tamper response (immediate zeroization) - ✅ Environmental failure protection (voltage, temperature)

AnkaSecure support: Via customer-provided Level 4 HSMs (rare, very expensive)

Use case: Nuclear command systems, cryptographic key generation facilities

AnkaSecure FIPS Status

Current Certification

Cryptographic Module: Bouncy Castle FIPS 1.0.2.5 Certificate: #4616 (FIPS 140-2) Validation Date: March 15, 2024 Security Level: Level 1 (software) Algorithms Validated: 47 algorithms (AES, RSA, ECDSA, SHA, HMAC, DRBG)

Status: ✅ Production-ready for federal use (Level 1)

📥 Download FIPS certificate (PDF from NIST)

FIPS 140-3 Validation (In Progress)

New submission: AnkaSecure Cryptographic Module v3.0 Target: FIPS 140-3 Level 1 Expected completion: Q2 2026 Lab: NVLAP-accredited testing facility

New algorithms for validation: - ML-KEM-512, ML-KEM-768, ML-KEM-1024 (NIST FIPS 203) - ML-DSA-44, ML-DSA-65, ML-DSA-87 (NIST FIPS 204) - SLH-DSA variants (NIST FIPS 205)

Timeline: - Q1 2026: Submit to testing lab - Q2 2026: Testing and validation - Q3 2026: NIST certificate issued

Current status: Pre-validation testing complete, submission imminent

FIPS-Approved Algorithms

Encryption (NIST FIPS 203)

Use case: Encrypt data with validated algorithms (federal requirement)

Digital Signatures (NIST FIPS 204, 205)

Use case: Sign documents with validated algorithms (code signing, legal documents)

Random Number Generation (NIST SP 800-90A)

DRBG (Deterministic Random Bit Generator): - ✅ Algorithm: Hash_DRBG with SHA-256 - ✅ Security strength: 256-bit - ✅ Entropy source: Platform entropy (e.g., /dev/urandom) - ✅ Reseeding: Automatic every 2^48 bits (NIST requirement)

Validation: Included in Bouncy Castle FIPS certificate #4616

Test DRBG:

# Generate random key (uses DRBG internally)
curl -X POST https://api.ankatech.co/keys \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"algorithm":"ML_KEM_1024"}'

Behind the scenes: DRBG generates secure random bytes for ML-KEM key generation

Federal Procurement Requirements

GSA Schedule 70: IT Solutions

Requirement: Cryptographic modules must have FIPS 140-2 or 140-3 validation

AnkaSecure compliance: - ✅ Current: FIPS 140-2 Certificate #4616 (Bouncy Castle) - ⏳ Future: FIPS 140-3 validation in progress (Q2 2026)

Procurement status: ✅ Eligible for GSA Schedule 70 listing

Buyer benefit: Check "FIPS validated" box in RFP requirements

FAR 52.204-25: Safeguarding Covered Defense Information

Requirement: DoD contractors must use FIPS 140-2 validated encryption

AnkaSecure compliance: - ✅ FIPS 140-2 validated (current) - ✅ AES-256 encryption (FAR requirement) - ✅ Audit logging (contractor compliance)

Use case: Defense contractors protecting CUI (Controlled Unclassified Information)

NIST SP 800-171: Protecting CUI

Requirement: 110 security controls including cryptographic protection (3.13.11)

AnkaSecure alignment: - ✅ 3.13.11: FIPS-validated cryptography (Bouncy Castle #4616) - ✅ 3.13.16: Protect confidentiality via encryption (ML-KEM, AES-256) - ✅ 3.14.1: Cryptographic key management (lifecycle, rotation, revocation)

Compliance reporting: Built-in audit logs map to NIST SP 800-171 controls

FIPS Algorithm Catalog

CAVP-Validated Algorithms

CAVP = Cryptographic Algorithm Validation Program (NIST testing)

AnkaSecure CAVP certificates (from Bouncy Castle #4616):

Post-quantum algorithms (pending FIPS 140-3 validation): - ML-KEM (FIPS 203) - CAVP testing Q1 2026 - ML-DSA (FIPS 204) - CAVP testing Q1 2026 - SLH-DSA (FIPS 205) - CAVP testing Q1 2026

Current recommendation: Use validated algorithms (AES, RSA, ECDSA) for federal systems requiring active FIPS certificate, transition to PQC after Q2 2026 validation

Non-Approved Algorithms (Research Use Only)

Algorithms supported but NOT FIPS-validated: - Falcon-512, Falcon-1024 (alternative PQC signatures) - BIKE, HQC, SABER (alternative PQC KEMs) - ChaCha20-Poly1305 (symmetric, widely used but not FIPS) - Camellia, SEED, SM4 (international standards)

Use case: Research, international deployments (China SM4, Japan Camellia), performance testing

Federal use: ❌ Not allowed for classified data (use FIPS-approved only)

Hardware Security Module (HSM) Integration

FIPS 140-3 Levels via HSM

AnkaSecure supports FIPS-validated HSMs for higher security levels:

Enterprise deployment: AnkaSecure + Luna HSM = FIPS 140-2 Level 3 (validated combination)

Configuration: Contact solutions team for HSM integration (requires custom setup)

Key Protection Model

Envelope encryption with HSM:

Plaintext Key (ML-KEM private key)
        ↓
Wrapped with KEK (Key Encryption Key from HSM)
        ↓
Encrypted Blob (stored in database)
        ↓
Unwrap with HSM (when needed for crypto operation)
        ↓
Plaintext Key (in memory only, never persisted)

Security benefit: Private keys NEVER exist on disk in plaintext (even if database compromised)

FIPS requirement: Key Encryption Keys (KEKs) must be in FIPS-validated HSM for Level 2+

Compliance Verification

Self-Test Execution

FIPS requirement: Cryptographic module must run self-tests on startup

AnkaSecure self-tests: 1. Known Answer Tests (KAT): Encrypt/decrypt with known inputs, verify outputs 2. Pairwise Consistency Tests (PCT): Verify key generation produces valid pairs 3. Continuous Random Number Generator Tests: Verify DRBG produces unique outputs

Automatic execution: Every service startup (logged in audit trail)

Example log entry:

2026-01-07T11:30:01Z [INFO] FIPS self-tests initiated
2026-01-07T11:30:02Z [INFO] AES-256-GCM KAT: PASS
2026-01-07T11:30:02Z [INFO] RSA-4096 PCT: PASS
2026-01-07T11:30:02Z [INFO] Hash_DRBG continuous test: PASS
2026-01-07T11:30:03Z [INFO] FIPS self-tests completed: ALL PASS

If any test fails: Service refuses to start (fail-safe behavior)

Generate Compliance Evidence

Request FIPS compliance report for auditors:

curl https://api.ankatech.co/compliance/fips-report \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "period": "last_90_days",
    "format": "PDF"
  }'

Report includes: - ✅ FIPS 140-2 certificate details (provider, version, certificate #) - ✅ Algorithm usage statistics (% FIPS-approved vs non-approved) - ✅ Self-test results (startup logs, no failures) - ✅ Key management compliance (generation, storage, zeroization) - ✅ Recommendations (migrate non-FIPS algorithms)

Use case: SOC 2 audits, federal compliance reviews, customer due diligence

FIPS Mode Enforcement

Enable FIPS-Only Mode

Strict compliance for federal systems (reject non-FIPS algorithms):

# Configure tenant for FIPS-only mode
curl -X PATCH https://api.ankatech.co/tenants/{tenantId}/settings \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "fipsMode": "ENFORCED",
    "allowedAlgorithms": ["FIPS_APPROVED_ONLY"]
  }'

Effect: All non-FIPS algorithms rejected (ChaCha20, Falcon, BIKE, etc.)

Error example:

{
  "error": "ALGORITHM_NOT_ALLOWED",
  "message": "ChaCha20-Poly1305 is not FIPS-approved. Use AES-256-GCM instead.",
  "fipsMode": "ENFORCED"
}

Use case: Federal agencies, DoD contractors (strict FIPS compliance required)

Audit FIPS Compliance

Check tenant FIPS compliance status:

curl https://api.ankatech.co/tenants/{tenantId}/compliance \
  -H "Authorization: Bearer $TOKEN"

Response:

{
  "tenantId": "gov-agency-001",
  "fipsMode": "ENFORCED",
  "complianceRate": "100%",
  "statistics": {
    "totalOperations": 50000,
    "fipsApprovedOperations": 50000,
    "nonFipsOperations": 0
  },
  "nonCompliantKeys": []
}

✅ 100% compliance: All operations using FIPS-approved algorithms

DRBG (Deterministic Random Bit Generator)

NIST SP 800-90A Compliance

AnkaSecure DRBG: - ✅ Algorithm: Hash_DRBG (SHA-256 based) - ✅ Security strength: 256-bit - ✅ Entropy source: Platform entropy pool (/dev/urandom on Linux) - ✅ Prediction resistance: Reseeding every 2^48 bits - ✅ Personalization string: Unique per tenant (prevents cross-tenant prediction)

FIPS requirement: DRBG must be used for all random number generation (key generation, IVs, nonces)

AnkaSecure guarantee: 100% of random values generated via FIPS-approved DRBG

Test DRBG Quality

Verify randomness (NIST SP 800-22 statistical test suite):

# Generate 10,000 random keys
for i in {1..10000}; do
  curl -X POST https://api.ankatech.co/keys \
    -H "Authorization: Bearer $TOKEN" \
    -d '{"algorithm":"ML_KEM_1024"}' \
    | jq -r '.publicKey' >> keys.txt
done

# Run NIST test suite (offline tool)
./nist-sts -input keys.txt -tests monobit,frequency,runs,cusum

✅ Expected: All tests pass (P-value > 0.01)

NIST test suite: Download from NIST

Compliance for Specific Industries

Financial Services (PCI DSS)

PCI DSS Requirement 3.6.1: Use strong cryptography with FIPS 140-2 validation

AnkaSecure compliance: - ✅ FIPS 140-2 Certificate #4616 - ✅ AES-256-GCM for data encryption - ✅ Key rotation every 12 months (configurable) - ✅ Audit logging (PCI DSS Requirement 10)

Use case: Encrypt credit card data (PAN), payment tokens, transaction records

Validation: QSA (Qualified Security Assessor) can verify FIPS certificate

Healthcare (HIPAA)

HIPAA Security Rule §164.312(a)(2)(iv): Encryption mechanisms

Requirement: "Implement a mechanism to encrypt ePHI" (not specific algorithm mandated)

Best practice: Use FIPS-validated encryption (defensible in audits)

AnkaSecure for HIPAA: - ✅ FIPS-validated AES-256-GCM (current) - ✅ ML-KEM-1024 (quantum-resistant, FIPS pending) - ✅ Audit logs (§164.312(b) requirement) - ✅ Access controls (§164.312(a)(1))

Compliance advantage: Check both HIPAA AND quantum-readiness boxes

Government (FISMA)

FISMA: Federal Information Security Management Act

Requirement: All federal systems use FIPS-validated cryptography

AnkaSecure compliance: - ✅ FIPS 140-2 validated (meets minimum) - ✅ FIPS 140-3 in progress (future-proof) - ✅ CNSA 2.0 algorithms (NSA approved)

Federal buyer question: "Is your crypto FIPS-validated?" Answer: ✅ "Yes, Bouncy Castle FIPS Certificate #4616"

Migration from Non-FIPS Algorithms

Identify Non-Compliant Keys

Audit current algorithm usage:

curl https://api.ankatech.co/keys?fipsCompliant=false \
  -H "Authorization: Bearer $TOKEN"

Response: List of keys using non-FIPS algorithms

{
  "keys": [
    {"keyId":"key-001","algorithm":"ChaCha20-Poly1305","fipsCompliant":false},
    {"keyId":"key-002","algorithm":"Falcon-1024","fipsCompliant":false}
  ],
  "count": 2
}

Action required: Migrate these keys to FIPS-approved alternatives

Rotate to FIPS-Approved Algorithms

Example: ChaCha20 → AES-256-GCM:

curl -X PATCH https://api.ankatech.co/keys/key-001/rotate \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "targetAlgorithm": "AES_256_GCM",  # FIPS-approved
    "rotationStrategy": "IMMEDIATE"
  }'

✅ Result: key-001 now uses FIPS-approved AES-256-GCM

Data migration: Re-encrypt existing ChaCha20 ciphertext to AES-256-GCM

curl -X POST https://api.ankatech.co/migration/convert/re-encrypt \
  -H "Authorization: Bearer $TOKEN" \
  -d '{
    "sourceKeyId": "key-001-old",
    "targetKeyId": "key-001",  # Now using AES-256-GCM
    "files": ["encrypted-data/*.dat"]
  }'

FIPS Compliance Roadmap

Phase 1: Current State (2024-2026)

Certification: FIPS 140-2 Level 1 (Bouncy Castle #4616)

Approved for: - ✅ Most federal systems (civilian agencies) - ✅ Financial services (PCI DSS) - ✅ Healthcare (HIPAA) - ⚠️ DoD systems (Level 3 HSM may be required)

Algorithms: Classical crypto (AES, RSA, ECDSA) + DRBG

Phase 2: Transition (Q2-Q4 2026)

Certification: FIPS 140-3 Level 1 (pending)

New algorithms: - ✅ ML-KEM-512, ML-KEM-768, ML-KEM-1024 (FIPS 203) - ✅ ML-DSA-44, ML-DSA-65, ML-DSA-87 (FIPS 204) - ✅ SLH-DSA (FIPS 205)

Federal readiness: PQC algorithms FIPS-validated (ahead of 2030 NSA deadline)

Phase 3: Future (2027+)

Certification: FIPS 140-3 Level 2 or Level 3 (via Luna HSM integration)

Target: High-assurance federal systems (TOP SECRET, defense, intelligence)

Deployment: AnkaSecure + Luna HSM cluster

FAQ

Is FIPS 140-2 still acceptable?

Yes, for now: NIST accepts both FIPS 140-2 and 140-3 during transition (2024-2026)

Sunset date: FIPS 140-2 modules phased out by 2026-2027

AnkaSecure strategy: Current FIPS 140-2 (eligible now) + FIPS 140-3 in progress (future-proof)

Can I use PQC algorithms before FIPS 140-3 validation?

Depends on use case:

Federal systems: ⚠️ Wait for FIPS 140-3 validation (Q2 2026) or get ATO (Authority to Operate) waiver

Commercial systems: ✅ Use now (NIST FIPS 203/204/205 published, algorithms standardized)

Hybrid approach: Use composite keys (FIPS-validated RSA + PQC ML-KEM) - defensible in audits

What about FIPS 140-3 Level 3?

Requirement: Physical tamper-detection (Luna HSM, nShield)

AnkaSecure support: Via customer-provided HSMs

Setup process: 1. Customer procures Luna HSM (Thales) 2. AnkaSecure configures PKCS#11 integration 3. KEK (Key Encryption Key) generated in HSM 4. All tenant keys wrapped with HSM KEK

Cost: Luna HSM ~$15K-$50K (one-time) + AnkaSecure license

Timeline: 2-4 weeks integration (includes testing)

Can I get a copy of the FIPS certificate?

Yes! Bouncy Castle FIPS certificate is public:

• 📥 Download FIPS 140-2 Certificate #4616 (NIST official)
• 📥 Download AnkaSecure FIPS compliance brief (2-page summary for RFPs)

For auditors: Provide NIST certificate URL + AnkaSecure version (3.0.0) using Bouncy Castle 1.0.2.5

What's Next?

Ready for federal procurement? - 🚀 Verify FIPS compliance (3-minute test) - 📥 Download FIPS certificate (NIST official) - 📄 Generate compliance report (for auditors) - 📧 Request ATO support (Authority to Operate assistance)

Explore related standards: - NIST PQC compliance - FIPS 203/204/205 algorithms - GSA PQC mandate - Federal procurement requirements - CNSA 2.0 alignment - NSA quantum-resistant algorithms

HSM integration: - Luna HSM setup (contact solutions team) - AWS CloudHSM integration (cloud deployment) - PKCS#11 configuration (custom HSMs)

Have questions? Email [email protected] or join our community forum

Last updated: 2026-01-07 | FIPS 140-2 Certificate #4616 | FIPS 140-3 validation: Q2 2026 (expected)