FIPS-Certified Library

The Federal Information Processing Standard (FIPS) Publication 140-2 specifies the security requirements of cryptographic modules used to protect sensitive information. When the EFT service is started, if FIPS is enabled, a message displays which protocols are in use and which of the protocols in use are FIPS certified. When you enable FIPS, the ciphers, key lengths/types, and hash lengths/types that are not FIPS-approved are not available, and an initialization routine executes a series of startup tests that set the cryptographic module into a FIPS-approved operational state.

For more information about the cryptographic module used by EFT, refer to Knowledgebase article Do you have a link to the certificate for your FIPS ciphers?

After you enable or disable FIPS mode, you must restart the EFT server service.

If a FIPS-approved state cannot be achieved when FIPS is enabled, all Sites will stop, and an error message appears in the Windows Event Log and the EFT administration interface. After you dismiss the message, the EFT administration interface closes.

  • You can enable FIPS mode for:

    • inbound SFTP (SSH2)

    • inbound HTTPs/FTPs (SSL)

    • outbound HTTPs/FTPs (SSL) through Event Rules (except when using Advanced Workflows)

    • outbound client SFTP (SSH2) through Event Rules

  • FIPS mode does not apply to:

    • EFT administration interface connections

    • SSL-based COM API connections

    • Advanced Workflows-based HTTPs/FTPs (SSL)

    • Advanced Workflows-based SFTP (SSH2)

    • AS2 inbound nor outbound transactions; SSL connections for AS2 are through HTTPS sockets, so the AS2 transaction is over a FIPS tunnel; however, the encryption within the AS2 MIME payload is not FIPS approved.

The following changes to the Server > Security tab were made in the latest version of EFT.

SSH changes in FIPS mode

SSH keys

  • generate rsa keys less than 2048 bit prohibited

  • prohibited using other than rsa/dsa keys >= 2048 bits or ecdsa keys >= 224 bits (for both client and server)

  • EFT will display the message: "The provided SFTP key has an improper key length or type. FIPS 140-2 mode requires keys at least 2048 bits length for RSA or DSA (DSS) keys and at least 224 bits for ECDSA keys. Please specify an alternate key, or generate a new one using EFT's SFTP key creation wizard."

KEXes

  • "diffie-hellman-group1-sha1" prohibited  (for both client and server)

MACs

  • "hmac-sha1-96" prohibited (for both client and server)

  • "hmac-sha1" enabled by default (for client)

SSH changes

in non-FIPS mode

 

SSH keys

  • prohibit generation of RSA keys less than 2048 bit (in GUI only)

MAC

  • "hmac-sha1" enabled by default (for client)

The functional for legacy sftp.dll was kept unchanged. In legacy FIPS mode, allowed keys are, for example,

1024bits <= rsa <= 4096bits or dsa 1024bits

and if you set another key, then GUI will show message:

"The provided SFTP key has an improper key length. FIPS 140-2 mode requires keys between 1024 and 4096 bits (inclusive) for RSA keys, or 1024 bits (exactly) for DSA (DSS) keys. Please specify an alternate key, or generate a new one using EFT's SFTP key creation wizard."

SSL changes

in FIPS mode

  • Generating RSA keys less than 2048 bit  is prohibited

  • Using other than RSA/DSA keys >= 2048 bits or ecdsa keys >= 224 bits (for both client and server)  is prohibited

  • EFT will display the message: "The SSL certificate has an improper key length. FIPS 140-2 mode requires keys at least 2048 bits length for RSA or DSA (DSS) keys and at least 224 bits for ECDSA keys. Please specify an alternate certificate, or generate a new one using EFT's SSL certificate creation wizard."

in nonFIPS mode

  • Generating rsa keys less than 2048 bit (in GUI only) is prohibited

Related Topics