FIPS 140-2 Validation

Are your CryptoSys products validated to FIPS 140?

No. It's just too expensive and we suspect know that not enough customers would pay the price that would make the capital outlay worth it. According to Peter Gutmann, the generally-accepted overall cost for a FIPS 140 level 1 evaluation is about US$100,000. Divide that by the expected number of people who'd pay for it (five?) and work it out.

To what level could it be validated?

Our CryptoSys products are pure software products. They could be validated to meet FIPS 140 security level 1. In FIPS 140 terms, the software would be a "multi-chip standalone module" consisting of a DLL file. The "cryptographic boundary" would be the applicable software and hardware components internal to the host processor running the Windows Operating System.

Would your software comply?

We've incorporated most of the required self-tests and cryptographic algorithm tests into the compiled modules. These occur automatically when the modules are first used. We've successfully run tests against all the relevant published NIST test vectors, and we've never had any reported discrepancy against the standards since we launched the software in 2001 despite being used by thousands of users.

We are confident that all the cryptographic algorithms that could be validated against their respective FIPS standards in both CryptoSys API and CryptoSys PKI will comply.

Will you ever get validation?

Almost certainly not. Based on the feedback we've had so far, (a) there really isn't much demand for it and (b) people's expectations of the premium they'd pay for such a product are totally unrealistic. Besides, you cannot change a FIPS 140 validated module without considerable expense and effort. So we'd have to pay $K just to release an upgrade. Forget it.

More on FIPS 140

It took the OpenSSL people five years to get a sub-set of their software validated. By then the module validated was three years old. OpenSSL were sponsored by some heavy people with big wallets.


For more information, please send us a message.

This page last updated 14 April 2022