Skip to content

Federal Information Processing Standard

The United States Government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in 11 categories by independent, U.S. Government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of validated products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at: http://csrc.nist.gov/groups/STM/cmvp/validation.html.

To configure Reflection for Secure IT to run in FIPS mode, select Use only FIPS-140 certified cryptography algorithms from the Encryption pane.

Note

You need to restart the server after changing FIPS mode for the change to take effect.

To ensure that your version of Windows is correctly configured and uses FIPS-validated modules, refer to Microsoft FIPS 140 documentation (http://technet.microsoft.com/en-us/library/cc750357.aspx).

Enabling FIPS Mode has the following effects:

  • All connections must be made using algorithms that meet FIPS 140-2 standards. Algorithms that don't meet these standards are not available.

  • As MD5 is not a FIPS approved hash, the server debug log will not contain MD5 fingerprints when it is running in FIPS mode.

  • The RADIUS protocol, which depends on MD5, is not available when the server is running in FIPS mode.

  • PKCS#12 files cannot be used by the server when it is running in FIPS mode.

  • Minimum public key sizes for both user and host keys and certificates are reset from the default of 512 bits up to 1024 bits. Previously configured keys that do not meet this threshold will not be used.

  • If the Windows FIPS Local Policy Flag is enabled, the server allows use of any certificate that meets FIPS standards.

  • Because Reflection for Secure IT cannot verify the FIPS status of SecurID, GSSAPI/SSPI, and RADIUS binaries, these authentication methods need to be manually disabled by the system administrator if they are not FIPS validated.