What is FIPS 140-2, and what does it mean to be FIPS 140-2 compliant? In this article, we will go through the answers to both questions, including what it means to be certified and give you a list of FIPS 140-2 compliant algorithms.

What Is FIPS 140-2?

FIPS 140-2, Federal Information Processing Standard, is a security standard issued by the U.S. government to validate cryptographic modules. For you to meet the requirements for FIPS 140-2 and get a certification, your product must adhere to the stated security standards, which come in four levels. The different levels range from basic security to impenetrable security that also protects against environmental conditions and tampering.

Level 1

Level 1 provides the lowest level of security, requiring no further physical security mechanisms beyond production-grade components. An encryption board in a personal computer is one example of this security.

Data Protection Image

Level 2

Level 2 improves the security a bit by requiring features that show evidence of any tampering. Examples include coatings, seals, or secure locks that work to prevent unauthorized physical access. These must be broken to get access to the plaintext cryptographic keys and critical security parameters, or CSPs.

Level 3

Level 3 features the previous requirements but adds another layer of physical security mechanisms. Examples include tamper-proof circuitry that zeroes all plaintext CSPs when the physical module is tampered or breached.

Level 4

Level 4 is the highest security level, suitable for confidential material in unsafe environments, with immediate detection and response to any unauthorized attempts of physical access. When a threat is recognized, it instantly deletes all plaintext CSPs, rendering the module encrypted. This high level of security also protects against fluctuations in environmental conditions, such as a change in temperature or voltage, which can be proof for someone trying to tamper with module defenses.


Use WinZip Enterprise and Encrypt Files


What Does It Mean To Be FIPS 140-2 Compliant?

Being FIPS 140-2 compliant means that you adhere to the requirements set in the standard. Examples of companies who must adhere to FIPS 140-2 isn’t just the manufacturers of physical products. Private customer data is often in great need of security and usually requires FIPS 140-2 compliancy. For example, cloud servers need a certain level of protection as does software that holds critical information. Being compliant is not a guarantee for safety, as it's not validated. A FIPS 140-2 certification ensures that security.

What is FIPS 140-2 Certification?

After independent and thorough testing, one of 13 NIST-specified laboratories issue a FIPS 140-2 certification or validation if the product lives up to the security standards. The process takes weeks and sometimes needs redoing after failing. Getting a certification or validation can get expensive. Still, it gives you the ultimate proof that your product or service met strict security standards. By being FIPS 140-2 certified, you ensure both you and your customer's safety.

FIPS 140-2 Compliant Algorithms

There are several FIPS 140-2 compliant algorithms, including the secure AES encryption format found in WinZip.

Symmetric Key

- AES, Triple-DES, Escrowed Encryption Standard

Asymmetric Key

- DSA, RSA, ECDSA

Hash Standards

- SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256

Random number generators

See Annex C.

Message authentication

- CCM, GCM, GMAC, CMAC, HMAC

For an in-depth look into the FIPS 140-2 compliant algorithms, see Annex A.

Final Words

The FIPS 140-2 standards, ranging basic to high security, covers the necessary levels for a wide array of purposes. Today, you’ve learned what FIPS 140-2 is, how to be compliant, what certification means, and what the FIPS 140-2 compliant algorithms are.

If you are needing to securely share or store files on your computer, then WinZip is the software for you.


Use WinZip Enterprise to Encrypt Files with FIPS 140-2