Testing of crypto modules and crypto algorithms

FIPS PUB 140-3 is the de facto standard for the testing of crypto modules. With its compliance and certification, the requirements of the United States and Canadian public authorities are fulfilled. Therefore, IT manufacturers who want to market products with encryption components in the USA generally require certification according to FIPS 140-3.

The TÜViT test laboratory is the only one in Germany (NVLAP Lab Code: 200636-0) that is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-3.


A FIPS-140-3 evaluation body since 2005

Crypto products used by public authorities in the USA must be certified according to FIPS 140-3. However, validation or certification according to the US standard is required not only there, but also by banks, as their critical data must be cryptographically protected. Cryptographic mechanisms are being used in more and more IT products. In addition to the classic hardware security modules, storage media with hardware encryption, software modules, VPN solutions or smart cards are often also certified according to FIPS 140-3. This involves not only the security requirements for cryptographic algorithms, but also physical security.

TÜViT has been a reliable partner for companies who want to have their algorithm implementations and crypto modules tested and certified according to FIPS PUB 140-3 since 2005. Depending on the security requirements, companies can choose between four security levels against which the crypto module is tested.

Our services at a glance

  • validation tests on implementations of cryptographic algorithms with the aim of certification with CAVP (Cryptographic Algorithm Validation Program)
  • validation tests on crypto modules (hardware, firmware, software or hybrid) according to FIPS PUB 140-3 with the aim of certification with CMVP (Cryptographic Module Validation Program)
  • pre-validation workshops to clarify the extent to which an existing or planned crypto module fulfills the requirements or what amendments need to be made
  • project consulting and document creation
  • additionally, we offer side-channel analyses, since FIPS 140-3 does not provide for vulnerability analysis

Your benefits at a glance

  • testing and validation according to the US standard FIPS 140-3 by a German provider
  • personal communication on your premises
  • takeover of the communication with the certification body in the USA/Canada
  • support from the only approved FIPS 140-3 evaluation body in Germany
  • you benefit from more than ten years of experience with FIPS 140-3 validations
  • services that go beyond the actual certification (for example side-channel analysis)
  • compliance with the regulatory requirements through compliance testing (high relevance, inter alia, in the field of cards, payment transactions and the banking sector)

Project examples

TÜViT has successfully implemented the following projects in the FIPS 140-3 environment, among others:

  • Apollo OS by SCsquare (SC2), Israel
    • smart card operating system, firmware, security level 3
  • banksys DEP/PCI by Atos Worldline, Belgium
    • hardware security module, hardware/firmware, security level 3
  • Java Card Platform Implementation by ORACLE, USA
    • Java Card operating system, firmware, security level 3
  • PSD-I by FRAMA, Switzerland
    • hardware security module, hardware/firmware, security level 3
  • SAP Secure Login Library Crypto Kernel by SAP, Germany
    • crypto library for various operating systems, software, security level 1
  • Secure Mobile by Digital Defence, UK
    • security extension for Windows Mobile, software, security level 1

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜViT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜViT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL7).
Read more


Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜViT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more


Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Site Certification

Audit of development and production environments: If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. For many years now, TÜViT has been successfully carrying out site audits for production and development environments.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜViT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜViT performs these approval procedures in its capacity as an accredited security assessor.
Read more


The FIDO Alliance has developed open standards especially for authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜViT is entitled to perform corresponding evaluations.
Read more


TÜViT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
Read more