Tectia Client, ConnectSecure, and Server can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.
The full OpenSSL cryptographic library is distributed with Tectia Client, ConnectSecure, and Server. However, only
the algorithms provided by the fipscanister
object in the library are used by Tectia Client, ConnectSecure, and Server.
The OpenSSL FIPS-certified cryptographic library is used to provide the
following classes of functions:
Table 3.1. APIs used from the OpenSSL library
API | Description | Functions from OpenSSL |
---|---|---|
Random numbers | FIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library. | FIPS_rand_* |
AES ciphers | Variants: ecb, cbc, cfb, ofb, ctr | AES_* |
DES ciphers | Variants: ecb, cbc, cfb, ofb | DES_* |
3DES ciphers | Variants: ecb, cbc, cfb, ofb | DES_* |
Math library | Bignum math library used by OpenSSL. | BN_* |
Diffie Hellman | DH_* | |
Hash functions | Variants: sha1, sha-224, sha-256, sha-384, sha-512 | SHA1_*, SHA256_*, SHA512_* |
Public Key | Variants: rsa and dsa | RSA_*, DSA_* |
No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.
The FIPS 140-2 Cryptographic Library is available on the operating systems supported by Tectia, except for Tectia Server for Linux on IBM System z and Tectia Server for IBM z/OS which do not support OpenSSL FIPS-certified cryptographic libraries. They support hardware acceleration on FIPS cryptographic operations.