SSH

FIPS-Certified Cryptographic Library

Tectia Client, ConnectSecure, and Server can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.

The full OpenSSL cryptographic library is distributed with Tectia Client. However, only the algorithms provided by the fipscanister object module in the library are used by Tectia Client. The OpenSSL FIPS-certified cryptographic library is used to provide the classes of functions listed in the following tables.

The functions from the OpenSSL library version 1.0.2a used on Linux, Windows, Solaris and HP-UX Itanium (IA-64) are listed in Table 3.1. On these platforms, the fipscanister object module version 2.0.9 is used.

The functions from the OpenSSL library version 0.9.8 used on HP-UX PA-RISC and IBM AIX are listed in Table 3.2. On these platforms, the fipscanister object module version 1.2 is used.

Table 3.1. APIs used from the OpenSSL cryptographic library version 1.0.2a
(used on Linux, Windows, Solaris and HP-UX Itanium)

APIDescriptionFunctions from OpenSSL
Random numbersAES/CTR DRBG based on NIST SP800-90A is used from the OpenSSL library.RAND_get_rand_method()
AES ciphersVariants: ecb, cbc, cfb, ofb, ctrEVP_aes*
3DES ciphersVariants: ecb, cbc, cfb, ofbEVP_des_ede3_*
Math libraryBignum math library used by OpenSSL.BN_*
Diffie Hellman DH_*, ECDH_*
Hash functionsVariants: sha1, sha-224, sha-256, sha-384, sha-512EVP_sha*
Public KeyVariants: rsa, dsa, ecdsaRSA_*, DSA_*, ECDSA_*

Table 3.2. APIs used from the OpenSSL cryptographic library version 0.9.8
(used on HP-UX PA-RISC and IBM AIX)

APIDescriptionFunctions from OpenSSL
Random numbersFIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library.FIPS_rand_*
AES ciphersVariants: ecb, cbc, cfb, ofb, ctrAES_*
DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
3DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
Math libraryBignum math library used by OpenSSL.BN_*
Diffie Hellman DH_*
Hash functionsVariants: sha1, sha-224, sha-256, sha-384, sha-512SHA1_*, SHA256_*, SHA512_*
Public KeyVariants: rsa and dsaRSA_*, DSA_*

No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.