However, some parts of the standard remain specific to NIST, and one of these is the list of approved algorithms which is in SP 800-140C – CMVP Approved Security Functions. This overides Annex C of the ISO standard.
SP 800-140C is a list of references to NIST standards describing the approved algorithms and transition guidance. We summarize here the March 2020 version.
The March 2020 version of the document approves AES (but only in certain modes), 3DES (but only in three-key mode and only up to 2^20 blocks per triple-length key), and SKIPJACK (only for legacy decryption). The transition guidance gives a handy summary, reproduced below.
DSA, ECDSA and RSA are allowed, but only with certain parameters. Table 2 of the transition guide gives a summary.
The annex references the whole SHA family of functions, including the now broken SHA-1, the SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512, SHA512/224, and SHA-512/256), and the SHA-3 family and variants (SHA3-224, SHA3-256, SHA3-384, SHA3-512 as well as SHAKE128, SHAKE256 and derivatives cSHAKE, KMAC, TupleHash, and ParallelHash).
The transition document summarizes when SHA-1 can be used:
SHA-1 may only be used for digital signature generation where specifically allowed by NIST protocol-specific guidance. For all other applications, SHA-1 is disallowed for digital signature generation.
When used for digital signature verification, SHA-1 is allowed for legacy use.
HMAC is approved along with CMAC and GMAC modes of operation for approved block ciphers. Guidance is given in Table 9 of the transition document
Checking FIPS 140-3 Compliance
Checking that a cryptographic module is compliant involves a testing process carried out by an approved laboratory. A module may be compliant even though it supports some legacy-only cryptography.
Showing that an application is compliant, for something like FedRAMP, requires showing that all cryptography is carried out by FIPS-approved modules, and use of legacy modes by new products is unlikely to be accepted.
Wading through thousands of line of application code to find all the cryptographic calls, then verifying that they are calling the right algorithms, with the right parameters, and the right providers, is a time-consuming and error-prone business. Fortunately, our Cryptosense Analyzer software can take care of this simply and easily.