Cryptographic modules — HASP Trust Center

Trust CenterCryptographic modules

HASP's runtime cryptographic operations are performed inside a NIST CMVP-validated OpenSSL FIPS Provider (certificate #4985, FIPS 140-3) built into the HASP platform. This page gives a DEA EPCS auditor — or any customer's compliance team — the certificate number, module identity, integrity anchors, and approved algorithm inventory needed to verify that claim. FIPS 140-3 supersedes and satisfies the FIPS 140-2 Level 1 reference in 21 CFR 1311.115. We do not claim FedRAMP, CJIS, or any environment-level FIPS validation.

← Trust Center NIST CMVP search ↗

Validated module

Certificate number: #4985
Validation standard: FIPS 140-3 · Overall Level 1
Status: Active (sunset March 10, 2030)
Validation history: Initial: March 11, 2025 (Acumen Security)
Last update: November 21, 2025 (Lightship Security, Inc.)
Module name: OpenSSL FIPS Provider
Module type: Software, Multi-Chip Stand Alone
Vendor: The OpenSSL Project
Validated version: 3.1.2
Source tarball SHA-256: a0ce69b8b97ea6a35b96875235aa453b966ba3cba8af2de23657d8b6767d6539
Loaded as: /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so
Integrity anchor: HMAC of fips.so recorded in fipsmodule.cnf by openssl fipsinstall; libcrypto refuses to load the provider if the module has been modified.

Approved algorithms in use

AES-256-GCM Application-layer encryption for tenant data (routed through validated OpenSSL)
AES-256-CBC Legacy at-rest payloads and session cookies (routed through validated OpenSSL)
PBKDF2-HMAC-SHA-256 Password hashing (routed through validated OpenSSL, 600,000 iterations)
SHA-256 (security-load-bearing) Audit-chain integrity hash, API key / invitation / passkey / runtime-session token hashes, signed audit export file hash, BAA PDF integrity hash — all routed through validated OpenSSL
SHA-256 (operational fingerprints) Cache keys, idempotency keys, advisory-lock derivation — FIPS-approved algorithm but NOT routed through the validated module.
HMAC-SHA-256 Webhook signature verification, signed URLs, and keyed subject-identifier hashing — FIPS-approved algorithm, but PHP exposes no HMAC primitive backed by the validated module's cryptographic library, so NOT routed through the validated module.
Ed25519 Signed audit-export signing (routed through validated OpenSSL)
TLS 1.3 Outbound HTTPS from the HASP platform (to managed database, inference providers, payment processor, enterprise SSO, edge object storage, and the internal TLS-terminating load balancer) — all via FIPS 140-3 validated OpenSSL. Inbound user-facing TLS is terminated at the substrate's TLS-terminating load balancer by a separately-validated module — out of scope.

In scope of the validated module

Application-layer encryption, signing, digest, key generation, and random-number generation routed through FIPS 140-3 validated OpenSSL
Application-wide routing of security-load-bearing SHA-256 digests (audit chain, API key hashes, BAA PDF hashes, signed export hashes) and PBKDF2 (password hashing) through the validated module
Tenant-data encryption (AES-256-GCM via the validated module)
Database TLS to the managed database (via the validated module)
Outbound HTTPS to inference providers, payment processor, enterprise SSO, edge object storage, and internal load-balancer endpoints (via the validated module)
Audit chain hashing and Ed25519 signing for signed audit exports

Explicitly out of scope

Inbound user-facing TLS termination — performed at the substrate's TLS-terminating load balancer using a separately-validated cryptographic module, not inside the HASP platform. The HASP application listens HTTP-only on its internal port.
Operational fingerprints (cache keys, idempotency keys) and HMAC (webhook signature verification, signed URLs, and keyed subject-identifier hashing) — FIPS-approved algorithms, but PHP exposes no HMAC primitive backed by the validated module's cryptographic library, so these are not routed through it.
FedRAMP Moderate or High
FISMA / NIST SP 800-53 ATO
CJIS
IRS Publication 1075
Any claim of a fully FIPS-validated environment, FIPS-mode host operating system, or FIPS-validated network appliances
Sub-processors operating outside HASP's own platform (inference providers, payment processor, enterprise SSO, edge CDN, managed database, managed cache) — each maintains its own compliance trail

Cryptographic key management

HASP's security-load-bearing cryptographic operations run inside the NIST CMVP-validated cryptographic module identified above (FIPS 140-3 Level 1; OpenSSL FIPS Provider 3.1.2, certificate #4985) loaded into the HASP platform. Today the validated module covers:

AES-GCM encryption of customer key material at rest (routed through the FIPS provider)
TLS handshakes for outbound provider connections — inference providers, embedding provider, edge object storage, and internal substrate services (routed through the FIPS provider)
PBKDF2 password-derivation paths (the platform does not currently store user passwords; the FIPS-bounded path is wired so any future password storage is FIPS-bounded by default)

Audit-chain integrity hashing and Ed25519 signing for signed audit exports are routed through the validated module. One cryptographic operation sits outside it:

HMAC — used for keyed hashing of subject identifiers, and for webhook signature verification — is computed with PHP's standard hashing extension, which does not route through the validated module. PHP exposes no HMAC primitive backed by the validated module's cryptographic library; this is a property of the language runtime, not a deferred task. The algorithm in use (HMAC-SHA-256) is FIPS-approved.

The platform's master key for envelope encryption is backed up via Shamir's Secret Sharing (2-of-3 threshold across multiple independent custodians). Any single share's compromise or loss does not compromise the master key, and key recovery is possible from any 2 of the 3 shares.

Verifying the chain

Three confirmations an auditor can run against the running container:

bash

# 1. The FIPS provider block specifically reports status: active.
#    (The base provider is also active for non-cryptographic primitives, so
#    scope the check to the fips block — `^  fips$` is the provider key.)
docker exec <container> openssl list -providers | grep -A 3 '^  fips$' | grep 'status: active'
# Expect: "    status: active"

# 2. Behavioral check: a non-FIPS digest must fail under default_properties=fips=yes.
docker exec <container> sh -c "printf '' | openssl dgst -md5"
# Expect: non-zero exit, error about unavailable algorithm.

# 3. PHP's openssl extension excludes non-approved digests under FIPS mode.
docker exec <container> php -r 'var_dump(in_array("md5", openssl_get_md_methods(true), true));'
# Expect: bool(false)

# 4. The validated module's HMAC is recorded and being verified.
docker exec <container> cat /usr/local/openssl-fips/ssl/fipsmodule.cnf
# Expect: a module-mac entry computed by 'openssl fipsinstall'.

Need our written attestation?

If your audit submission needs a letter referencing the certificate number, module version, and integrity anchors above on HASP letterhead, email [email protected].

Email [email protected]