FIPS Compliance | RaaS - Random as a Service

What is FIPS 140?

FIPS 140 (Federal Information Processing Standard 140) is a U.S. government standard that specifies security requirements for cryptographic modules. Published by NIST (National Institute of Standards and Technology), it's the benchmark for cryptographic security in regulated industries.

📜 Current Standards

FIPS 140-2 — Published 2001, still widely accepted
FIPS 140-3 — Published 2019, based on ISO/IEC 19790:2012

FIPS 140-2 validations remain valid until September 2026, after which only FIPS 140-3 will be accepted for new validations.

Who Requires FIPS Compliance?

FIPS 140 compliance is mandatory or strongly recommended for:

Sector	Requirement	Regulations
U.S. Federal Government	Mandatory	FISMA, FedRAMP
Defense & Intelligence	Mandatory	DFARS, ITAR, CMMC
Healthcare	Strongly Recommended	HIPAA Security Rule
Financial Services	Required by Policy	PCI DSS, SOX, GLBA
Critical Infrastructure	Strongly Recommended	NERC CIP, NIST CSF
Canadian Government	Mandatory	ITSG-33

FIPS 140 Random Number Generation Requirements

FIPS 140-2/140-3 specifies strict requirements for Random Number Generators (RNGs) and Deterministic Random Bit Generators (DRBGs):

Approved RNG Algorithms (SP 800-90A)

Hash_DRBG — Based on approved hash functions (SHA-256, SHA-512)
HMAC_DRBG — Based on HMAC with approved hash functions
CTR_DRBG — Based on approved block ciphers (AES-128, AES-192, AES-256)

Entropy Requirements

Minimum 128 bits of entropy for instantiation
Entropy source must be validated per SP 800-90B
Continuous health testing of entropy source
Reseeding at defined intervals

How RaaS Achieves FIPS-Grade Randomness

✅ Our Approach

RaaS uses Go's crypto/rand package, which interfaces directly with the operating system's cryptographic random source. On Linux, this uses the getrandom() system call, which provides access to the kernel's CSPRNG (ChaCha20-based as of Linux 4.8+).

Component	Implementation	FIPS Alignment
Entropy Source	Linux kernel entropy pool (hardware RNG, interrupts, jitter)	✓ SP 800-90B
DRBG Algorithm	ChaCha20 (Linux kernel CSPRNG)	✓ Equivalent to CTR_DRBG
RSA Key Generation	Go crypto/rsa with crypto/rand	✓ FIPS 186-4
ECDSA Key Generation	Go crypto/ecdsa (P-224, P-256, P-384, P-521)	✓ FIPS 186-4
AES Key Generation	Direct crypto/rand bytes	✓ SP 800-133
UUID Generation	Version 4 (random) via crypto/rand	✓ RFC 4122

⚠️ Important Disclaimer

While RaaS uses FIPS-approved algorithms and entropy sources, the service itself has not undergone formal FIPS 140-2/140-3 validation by an accredited laboratory. Organizations requiring formally validated cryptographic modules should verify compliance requirements with their security team.

For environments requiring validated modules, our infrastructure runs on Linux with the option to enable FIPS mode, which activates the kernel's FIPS-validated cryptographic module.

FIPS-Approved Algorithms We Support

Algorithm	Key Sizes	FIPS Standard	API Endpoint
RSA	2048, 3072, 4096 bits	FIPS 186-4	`/api/crypto/rsa`
ECDSA	P-256, P-384, P-521	FIPS 186-4	`/api/crypto/ecdsa`
AES	128, 192, 256 bits	FIPS 197	`/api/crypto/aes`
SHA-256 (HMAC)	256+ bits	FIPS 180-4	`/api/crypto/hmac`

Note: Ed25519 is available but is not yet FIPS-approved (under consideration for FIPS 186-5). Use ECDSA with P-256 or higher for FIPS-compliant applications.

🏩 FIPS Compliance