FIPS 140-3 Level 3 is a hardware security requirement, not a software one. The standard is often discussed in the context of algorithm certification — whether an HSM has CMVP validation for a given cryptographic mechanism — but the physical security requirements at Level 3 are what separate a purpose-built cryptographic module from a general-purpose server running a software TLS stack. For bank CISOs evaluating HSM procurement decisions, understanding what Level 3 actually mandates helps distinguish vendor claims from substantive security capability.
This article covers FIPS 140-3 Level 3 physical security requirements in detail: what tamper detection means in practice, what zeroization must accomplish, why identity-based authentication is required at this level, and how these requirements manifest in CQ1's design. The FIPS 140-3 standard is an adoption of ISO/IEC 19790:2012 with U.S. government modifications; references to section numbers below refer to ISO/IEC 19790 as adopted.
The four security levels: a quick orientation
FIPS 140-3 defines four security levels for cryptographic modules:
- Level 1: Basic cryptographic algorithm correctness. No physical security requirements beyond production-grade build quality. Software implementations qualify at Level 1.
- Level 2: Adds tamper-evidence. The module must show evidence of tampering — through coatings, seals, or pick-resistant fasteners — so that physical attacks are detectable after the fact. Does not require active detection or response.
- Level 3: Adds active tamper detection and response. The module must detect physical intrusion attempts and respond by zeroizing (erasing) all plaintext critical security parameters (CSPs). Also requires identity-based authentication rather than role-based authentication for operator access.
- Level 4: Adds protection against environmental attacks (voltage, temperature, radiation) and requires complete envelopment of the cryptographic boundary in tamper-detection circuitry. Currently achieved by very few commercially available products.
Level 3 is the appropriate target for financial sector HSMs that hold zone working keys, master key encryption keys, and PIN keys. PCI HSM v3 references FIPS 140-3 Level 3 as the minimum for devices handling PIN data and key management operations in payment networks.
Active tamper detection: what "active" means
At Level 2, a tamper-evident seal proves (retroactively) that the module was opened. At Level 3, the module must detect the opening attempt while it is happening and respond before the attacker can read key material. This requires active circuitry that continuously monitors the physical security boundary.
The standard mechanism is a tamper-detection mesh — a fine, densely routed pattern of conductive traces that completely encloses the cryptographic boundary (the area containing key storage and cryptographic processing). The mesh carries a low-current signal that the tamper-detection circuit continuously monitors. When the mesh is cut, drilled, or mechanically disturbed, the circuit detects the change in electrical characteristics (resistance, capacitance, or continuity) and triggers the zeroization response.
Physical security boundary design requires careful engineering: the mesh must be dense enough that an attacker cannot route a fine probe between traces without breaking the mesh, and the trace pitch must be below the practical resolution of commercially available fine-wire probes (typically targeted at trace pitch below 100 microns in a Level 3 design). The mesh must also cover the full boundary — there must be no unprotected access path to the key storage silicon.
For CQ1, the cryptographic boundary encloses the FPGA fabric containing the NTT pipeline, the on-fabric key storage BRAMs, the Keccak co-processor, and the HSM controller. The PCIe interface connector — which is outside the cryptographic boundary — carries only processed results and public-key material. Key material in any form never passes through the PCIe interface; the PCIe path carries only decapsulated shared secrets and signature outputs.
Zeroization: what must be erased and how fast
When the tamper-detection circuit triggers, the module must zeroize all plaintext critical security parameters within a defined time window. FIPS 140-3 Level 3 specifies that zeroization must be triggered by tamper-detection events and must overwrite all CSPs. The standard does not specify a single overwrite pattern but requires that the overwrite renders the key material unrecoverable.
What constitutes a CSP in an HSM: all private keys, all secret keys, all seed material for key derivation, and all authentication credentials. The hardware implementation must be able to overwrite all of this material before an attacker who triggered the tamper-detection event can extract anything. In practice, this means the zeroization circuit must be able to complete its overwrite in the time it takes a physical attacker to remove the module cover, position probes, and connect measurement equipment — typically estimated at several seconds in a constrained attack scenario.
SRAM-based key storage (which is what most FPGA on-fabric BRAM is) can be overwritten by asserting the write-enable signals to all memory cells simultaneously with a zero or random data pattern. At FPGA fabric frequencies of 200 MHz, overwriting 256 KB of BRAM takes approximately 160 microseconds — well within any physically plausible attack timeline. The tamper-detection power supply must be isolated from the main power rail to ensure that a tamper-induced power loss (e.g., an attacker cutting the PCIe power connection) triggers zeroization rather than preventing it.
Identity-based authentication at Level 3
Level 2 permits role-based authentication: any operator who knows the role password can perform operations authorized for that role. Level 3 requires identity-based authentication: the module must authenticate specific named individuals, not generic roles. This is typically implemented through per-operator authentication tokens (hardware security keys, smart cards, or cryptographic certificates) where each operator has a unique credential.
For payment-sector HSMs, identity-based authentication is critical for key ceremony operations. When generating or loading a new master key encryption key (MKEK), the ceremony requires quorum authentication — a defined number of authorized key custodians (e.g., 3 of 5) must authenticate individually before the key operation can proceed. With role-based authentication, any three people who know the custodian password would qualify; with identity-based authentication, the HSM validates that the specific named custodians registered for that key are the ones authenticating.
CQ1's management interface implements identity-based authentication through operator smart card enrollment. Each operator is issued a hardware token (PKCS#15-formatted smart card) during initial registration. Authentication for privileged management operations (key generation, key deletion, role management) requires physical presentation of the registered smart card and entry of the card's PIN. The HSM logs the identity of each authenticated operator against each management operation.
Environmental failure protection
FIPS 140-3 Level 3 also requires that the module respond to voltage and temperature excursions outside of its normal operating range. The intent is to prevent fault injection attacks — supplying anomalous voltage or temperature to cause the processor to skip instructions or produce incorrect outputs in a controllable way. Fault injection against RSA and EC implementations has been demonstrated to leak private key material; similar attacks against lattice implementations are an active research area.
Environmental failure protection at Level 3 requires either designing the module to operate normally across a wide range of environmental conditions (defeating fault injection by making the anomalous conditions insufficient to cause faults) or detecting excursions and triggering zeroization (same response as tamper detection). CQ1 implements the latter: independent voltage and temperature sensors on the cryptographic boundary connect to the same tamper-detection circuit as the mesh. A voltage spike or thermal excursion outside the defined operating envelope triggers the same zeroization sequence as a physical intrusion.
What Level 3 does not protect against
Understanding the boundary of what Level 3 provides is as important as understanding what it requires. FIPS 140-3 Level 3 protects key material from physical extraction. It does not protect against:
- Side-channel attacks via electromagnetic emanations — Level 3 does not require shielding against EM side-channel analysis. FIPS 140-3 Level 4 includes environmental failure protection that partially addresses EM, but dedicated EM shielding is not part of Level 3 or 4 explicitly.
- Software-layer attacks on the management interface — Physical security protects key material at rest. An attacker who can communicate with the PKCS#11 interface as an authenticated operator can request cryptographic operations within the operator's authorized scope. Authentication controls govern this surface; physical security does not.
- Supply chain attacks on the hardware before deployment — FIPS 140-3 validation covers the design and production standard of the validated module. Supply chain security (ensuring that what you receive matches the validated design) is a deployment practice question, not a FIPS certification question.
CQ1 is designed for FIPS 140-3 Level 3 validation. We have engaged an NVLAP-accredited laboratory and are pursuing CMVP testing submission in H2 2026. Until validation is awarded, CQ1 should be evaluated on the basis of its physical security design — tamper-detection mesh, zeroization circuit, identity-based authentication, environmental sensors — not on a certificate that does not yet exist.