|
U. S. Federal Information Processing |
This page describes what FIPS is and how the File Watchdogs FTP Server software complies. Your FTP Client software should be equally tested and compliant. We recommend our Web Transfer Client logon page or WS_FTP Professional, http://www.ipswitchft.com.
The U.S. Federal Information Processing Standard (FIPS) has requirements concerning acceptable encryption methods and strengths. FIPS section 140-2 applies to information processing for government agencies and the military, and it often also applies to vendors, contractors, and suppliers doing business with those entities. For a product to meet FIPS requirements, it must not only comply with FIPS standards, but also must be validated by the appropriate government testing authorities.
The FIPS testing process ensures that a solution meets encryption strength requirements, and also passes stringent tests that detect a variety of flaws, including back doors and hard coded keys. These tests make FIPS validation relevant not just to the government and military, but to all organizations looking for a secure file transfer solution.
FIPS 140-2 is a standard first published in 2001 by the U.S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. NIST works to establish various standards that the U.S. military and various government agencies must abide by. Vendors, contractors, and any organization working with government or military must comply with FIPS as well. The Canadian government also has policies requiring FIPS-validated software, and it cooperates with NIST in establishing FIPS standards.
FIPS includes standards regarding the formatting of location and personal identification information, encryption algorithms, key storage, and other data processing areas. FIPS purpose is to ensure the security, quality, and processing compatibility of various services in an easily verified way. This page will mostly concern itself with FIPS 140-2, which covers the encryption requirements applicable to File Watchdogs FTP server software.
What does FIPS 140-2 Require?
In cases where a high level of security is required, a FIPS-validated data-transmitting application must 1) use algorithms and hash functions approved by FIPS 140-2, and 2) be validated by the Cryptographic Module Validation Program (CMVP). The CMVP is a testing process under the supervision of the U.S. NIST and the Communications Security Establishment (or CSE, which serves as NIST’s validation functions in Canada).
A FIPS-validated solution must use cryptographic algorithms and hash functions approved by FIPS. The following are three examples of such approved algorithms:
FIPS will not approve certain other encryption algorithms, such as the original 56-bit DES encryption developed three decades ago. Other algorithms which are considered too weak by recent standards include the very popular MD5, a widely-used cryptographic hash function known to contain flaws, and CRC32, which is not a true data encryption method.
Many solutions claim to be “FIPS compliant.” This phrase is simply a claim that the solution aligns with FIPS requirements. To truly comply with FIPS, however, the solution needs to be FIPS validated. FIPS validation involves submitting detailed documentation and source code to NIST’s testing laboratories. In most cases, the testing process takes several months (6-9 months, on average). Consequently, creating FIPS-validated solutions not only involves using approved algorithms, but also providing software that is well documented, well engineered, and tested, and also is easily testable in ways that help move the validation process forward in a timely way.
You can view the FIPS 140-2 specification at: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
NIST not only tests the software operationally, but also checks for security flaws, such as the incorrect use and disposal of keys in memory, and the predictability of “random” number generation. It also verifies the presence of module self-integrity checks (which prevent tampering), and checks for possible back doors and hard coded keys. It is important to note that with file transfer software, both client and server applications must be validated. Other systems and processes involved in the software’s operation must be validated as well.
The validation process is sufficiently complex that entire software solutions have concerned themselves with creating documented, test-ready source code for third-party companies implementing FIPS. Therefore, for the reasons stated above, only a handful of file transfer products presently include FIPS-validated cryptography and processing.
The military and its vendors, who often deal in sensitive national security information, are frequently required to abide by FIPS. Federal and state government agencies that deal with citizens’ private information must also comply. Government vendors who require privacy with regard to personal and financial information can include financial institutions, information-processing vendors, healthcare-related vendors, educational institutions, and utilities. Vendors who deal with national security commonly include manufacturers and a wide variety of military contractors.
However, the FIPS standard is still relevant to companies not required to comply with government encryption regulations. As stated above, FIPS validation involves subjecting software to rigorous testing to determine whether flaws are present. Hence, solutions without this validation are more likely to contain vulnerabilities.
One example of vulnerability was found recently in versions of the Debian and Ubuntu operating systems. It was found that the output of these systems’ random number generators could be predicted, presenting a significant security flaw. Since the NIST specifically checks for this flaw during its validation process, it is unlikely that the flaw would have existed if the operating systems had been subject to NIST tests.
U.S. Federal Information Processing Standard
www.IpswitchFT.com
There are four levels of FIPS security:
According to the FIPS specification, “allows the software and firmware components of a cryptographic module to be executed on a general purpose computing system using an unevaluated operating system.” Users can run this level of security on ordinary hardware.
Requires role-based authentication, seals that provide evidence of any physical tampering, and includes requirements regarding the software’s operating system.
Adds a number of requirements to Level 2, including physical tamper resistance.
Adds more stringent tamper resistant requirements, plus resistance to environmental hazards.
Using OpenSSL FIPS (an open source project sponsored by Hewlett Packard, the DoD Military Health System, and the Open-Source Software Institute), File Watchdogs Server’s FIPS module supports AES (up to 256-bit), Triple DES, and HMAC SHA-1 encrypted transfer.
File Watchdogs Server’s encryption transfer, integrity checking (FTP, HTTP, and HTTPS), HTTPS transport, FTP commands, and data-stream encryption are all validated under the FIPS-validated module. These all use AES encryption for transaction privacy and HMAC SHA 1 for data-integrity checking. File Watchdogs FTP Server software is validated by FIPS certificate 918, with specific protocols validated by 613, 668, 701, and 352 (under the OSSI’s Open SSL).
File Watchdogs FTP Server software delivers FIPS-validated solutions that meets or exceeds FIPS 140-2 standards. A FIPS validation is difficult to obtain, but it is a necessity for many government agencies and the military, as well as many vendors who regularly deal with those entities. Additionally, FIPS’s lengthy and rigorous testing process is an excellent quality indicator for other parties looking for a secure file transfer solution.