Tectia Client, ConnectSecure, and Server can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.
The full OpenSSL cryptographic library is distributed with Tectia ConnectSecure. However, only
the algorithms provided by the fipscanister
object module in the library are used by Tectia ConnectSecure.
The OpenSSL FIPS-certified cryptographic library is used to provide the classes of functions listed in the
following tables.
The functions from the OpenSSL library version 1.0.2a used on Linux, Windows, Solaris and
HP-UX Itanium (IA-64) are listed in Table 3.1. On these platforms, the
fipscanister
object module version 2.0.9 is used.
The functions from the OpenSSL library version 0.9.8 used on HP-UX PA-RISC and IBM AIX are
listed in Table 3.2. On these platforms, the
fipscanister
object module version 1.2 is used.
The FIPS 140-2 Cryptographic Library is not available for Tectia Server for Linux on IBM System z and Tectia Server for IBM z/OS which do not support OpenSSL FIPS-certified cryptographic libraries. They support hardware acceleration on FIPS cryptographic operations.
Table 3.1. APIs used from the OpenSSL cryptographic library version 1.0.2a
(used on Linux, Windows, Solaris and HP-UX Itanium)
API | Description | Functions from OpenSSL |
---|---|---|
Random numbers | AES/CTR DRBG based on NIST SP800-90A is used from the OpenSSL library. | RAND_get_rand_method() |
AES ciphers | Variants: ecb, cbc, cfb, ofb, ctr | EVP_aes* |
3DES ciphers | Variants: ecb, cbc, cfb, ofb | EVP_des_ede3_* |
Math library | Bignum math library used by OpenSSL. | BN_* |
Diffie Hellman | DH_* | |
Hash functions | Variants: sha1, sha-224, sha-256, sha-384, sha-512 | EVP_sha* |
Public Key | Variants: rsa, dsa | RSA_*, DSA_* |
Table 3.2. APIs used from the OpenSSL cryptographic library version 0.9.8
(used on HP-UX PA-RISC and IBM AIX)
API | Description | Functions from OpenSSL |
---|---|---|
Random numbers | FIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library. | FIPS_rand_* |
AES ciphers | Variants: ecb, cbc, cfb, ofb, ctr | AES_* |
DES ciphers | Variants: ecb, cbc, cfb, ofb | DES_* |
3DES ciphers | Variants: ecb, cbc, cfb, ofb | DES_* |
Math library | Bignum math library used by OpenSSL. | BN_* |
Diffie Hellman | DH_* | |
Hash functions | Variants: sha1, sha-224, sha-256, sha-384, sha-512 | SHA1_*, SHA256_*, SHA512_* |
Public Key | Variants: rsa and dsa | RSA_*, DSA_* |
No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.