A shield graphic, surrounded by graphics signifying technology and secure communication.

Why You Need to Upgrade to FIPS 140-3 Level 3, Military-Grade Mobile Data Protection

Aug 2024
Blog Home

When it comes to data protection and encryption, the de-facto global standard is generally driven by the National Institute of Standards and Measures (NIST). NIST is the U.S. agency that defined the Advanced Encryption Standard (AES), where AES 256-bit encryption in XTS mode is the best commercial encryption available for data protection. NIST publishes standards for the U.S. government and military called FIPS (Federal Information Processing Standard) to define and approve cryptographic standards, and the FIPS 140 series is used to define hardware and software encryption security.

Why should one opt for FIPS-validated solutions? As NIST explains, “non-validated cryptography is viewed by NIST as providing no protection to the information or data—in effect the data would be considered unprotected plaintext.”

FIPS 140-2 was approved in May 2001 and has been in effect for over 20 years, while computing power has increased exponentially in that time frame. While FIPS 140-2 is still considered strong military-grade security, NIST published the FIPS 140-3 standard and approved it in September 2019. To ensure compliance, NIST set up certified laboratories that conduct rigorous reviews and tests of software and physical drives for the industry, with results being reviewed by NIST scientists prior to the official award of a FIPS 140 series certificate.

Storage drives which are compliant with FIPS 140-3 have been launched since 2023, so governments and enterprises should start switching to FIPS 140-3 drives. These drives come with enhanced levels of protection, of which Level 3 is the gold standard with anti-tampering resistance to detect physical intrusion attempts using special epoxy on the physical circuitry.

FIPS 140-3 Enhancements over FIPS 140-2

A wireframe illuminated in blue with the FIPS 140-3 Level 3 Pending logo superimposed.

Since FIPS 140-2 was defined in the 20th century and approved in 2001, there was a need to define the 21st century update. FIPS 140-3 is the update for the remainder of the 2020 decade, and the next update for the following decade will include stronger protections for quantum computing.

XTS-AES 256-bit encryption used in hardware-encrypted storage drives work as follows: A user creates a password to a brand new or newly formatted drive. The secure microprocessor in the drive generates a hardware AES encryption key using its random number generator following the NIST standard and approved algorithms. If the random number generator is not truly random in the mathematical sense, it can create a vulnerability that can be exploited by supercomputers to attempt to recreate this unique encryption key.

FIPS 140-3 required manufacturers of secure microprocessors to enhance their internal random number generator to increase entropy (or randomness). Suffice to say that this single cryptographic enhancement has major mathematical consequences to ensure that XTS-AES encryption remains resilient to computer cracking for years if not decades longer – including sufficient protection against near-term quantum computers.

The following changes were also added:

  • Minimum PIN or password length: Passwords were increased from 7 to 8 characters for stronger password protection against automated password attacks. Note that brute force password protection should also be present to crypto-erase the drive to stop such attacks early on.
  • No preset PIN or password at the factory: All users must set a PIN or password upon first use of the drive.
  • Periodic self-testing: Each drive must do self-testing to ensure security is fully functional. If a problem is detected, the drive must shut down. This protection can detect malfunctions as well as potential attacks on the circuitry, which can manifest as malfunctions.
  • Automatic shutdown under excessive thermal and voltage conditions: If a drive exceeds preset levels, it must shut down. Hackers sometimes use side-channel attacks that result in extreme thermal and voltage conditions, this response can block specific attacks.

This is a massive simplification of the FIPS 140-3 Level 3 standard as it also includes many other protections and safeguards, many of them with complex cryptographic purposes. Typically, a new FIPS 140 standard requires up to 2 years of effort by manufacturers to redesign their secure microprocessors, enhance their drive firmware and how it processes Critical Security Parameters (CSPs), go through NIST-certified lab testing which even include source code reviews in addition to thorough testing, and finally introduce their drives to the market.

Note that drives can be designated as FIPS 140-3 Level 3 (Pending) because, after lab testing is complete, NIST can take up to 18 months to issue the final certificate because of the backlog of software and hardware certifications in its queue. Kingston only markets its drives after lab testing is complete. You can see pending certifications on this NIST web site.

Summary

Military-grade data protection follows the NIST-defined FIPS 140 Level 3 standard.

For the past two decades, FIPS 140-2 Level 3 has been the best commercial standard for portable storage USB and SSD drives. For the next decade, FIPS 140-3 Level 3 is the best practice for the most effective protection of mobile data.

Kingston has spent hundreds of thousands of dollars and several years of R&D effort to bring hardware-encrypted IronKey FIPS 140-3 Level 3 drives to market. These storage drives are designed from the ground up with data protection as their top design objective.

Kingston offers the flagship IronKey D500S USB drive as well as the Keypad 200 Series in USB-A or USB-C options which have passed FIPS 140-3 Level 3 compliance testing and are pending final NIST approval.

Related Videos

Trisha holding the DT2000 USB flash drive 2:53

Encrypted USB Flash Drives Explained

Encrypted USB flash drives keep your private data safe, but how do they work?

Trisha holding a IKVP80ES next to some graphics of a shield, a screen with code, and a padlock 5:38

The right way to securely store and access your files

For creatives producing content for high-profile clients, encrypted storage can secure your important files and help you fulfil your security responsibilities.

Trisha holding a giant 2.5” SSD next to a M.2 SSDs with a lock and Windows icon 5:02

Software vs Hardware Based Encryption

There are two main types of encryption - software encryption and hardware encryption.

Related articles