KORTHEXkorthex.flowence.cc

Compliance / NIST FIPS 140-3

NIST FIPS 140-3 Scanner

Korthex maps every cryptographic finding in your stack against NIST FIPS 140-3: it flags non-approved algorithms, weak key sizes and risky modes across source code in 18 languages, dependencies, binaries, TLS certificates and databases, with file and line evidence and a compliance status per finding. 100% on-premise.

What FIPS 140-3 requires

FIPS 140-3 is the current US and Canadian standard for cryptographic modules, superseding FIPS 140-2. It defines which algorithms are approved (AES, the SHA-2 and SHA-3 families, approved RSA and ECDSA parameter sets, and since August 2024 the post-quantum standards ML-KEM, ML-DSA and SLH-DSA) and which are not (MD5, SHA-1 for signatures, DES, 3DES, RC4).

The deadline pressure is concrete: the CMVP moves remaining FIPS 140-2 certificates to the historical list in September 2026. Any system that claimed FIPS 140-2 compliance needs to know exactly which cryptography it actually runs before pointing at a 140-3 module.

What Korthex flags against FIPS 140-3

  • Non-approved primitives: MD5, SHA-1 signatures, DES, 3DES, RC4, Blowfish, wherever they appear in code, dependencies or binaries
  • Legacy key sizes: RSA below 2048 bit, ECC below 256 bit, in code and in certificates
  • Risky mode usage: AES-ECB, CBC without integrity protection, missing IVs, key reuse
  • Weak randomness sources feeding key or IV material
  • TLS configurations negotiating non-approved cipher suites
  • Post-quantum exposure: RSA, ECC and DH findings carry their FIPS 203 / 204 / 205 successor per NIST IR 8547 timelines (deprecated after 2030, disallowed after 2035)

Audit-ready evidence

Every finding lands in the Cryptographic Bill of Materials with file path, line number, severity, a taint-based verdict and its compliance status. Export as PDF for assessors or CycloneDX, SARIF and JSON for tooling. The CBOM is the artifact you hand to an auditor to show where your cryptography stands, and the CI/CD gate keeps it current between assessments.

What Korthex does not do

Korthex does not certify cryptographic modules. Certification is performed by accredited laboratories under the CMVP. Korthex answers the question that comes before and after certification: where does non-approved cryptography live in your actual codebase, what replaces it, and has anything regressed since the last assessment.

Frequently asked questions

Is FIPS 140-2 still valid?

FIPS 140-2 certificates remain on the active list only until September 2026, when the CMVP moves them to the historical list. New procurement references FIPS 140-3. The practical consequence: inventory your cryptography now so the migration is planned rather than forced.

Which algorithms are FIPS-approved?

AES, the SHA-2 and SHA-3 families, approved RSA and ECDSA parameter sets, and since August 2024 ML-KEM (FIPS 203), ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). MD5, SHA-1 for signatures, DES, 3DES and RC4 are not approved.

Can Korthex certify my product as FIPS 140-3 compliant?

No. Certification is done by accredited labs under the CMVP. Korthex finds every place non-approved cryptography is used, maps it to the approved replacement, generates the migration plan, and gates CI/CD so you do not regress between assessments.

Does the scan run offline?

Yes. Korthex runs 100% on-premise as a CLI or in CI/CD, including air-gapped operation. Source code never leaves your infrastructure.

How are findings mapped to FIPS 140-3?

Each CBOM entry carries a compliance status against NIST FIPS 140-3 and FIPS 203 / 204 / 205, alongside BSI, PCI-DSS and ISO 27001, so one scan serves multiple frameworks.