FIPS 140
Does anybody have experience with this security standard? We have a combination of mobile vehicles and fixed sites on a test grid. All are using either BR350's or WGB350's. We have 3 towers with one tower accessing the post LAN. All towers are using BR350's set up in root mode. The backbone between the towers are using Proxim QuickBridge 60's (1400 series were not available at the time).
We are planning on setting up more grids in the future, but need to comply with the FIPS 140-2 standard. Any DOD expertise out there?
Thanks
Tom
The only wireless-specific products I'm aware of are Fortress technology's AirFortress (which the army is using) and Cranite Sysems WirelessWall (which West Point is using. As far as I know those are AP to client solutions.
For you situation yu may want to you a VPN concentrator and a site-to-site VPN. See this link for current Cisco gear that is FIPS-140:
http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/networking_solutions_audience_business_benefit0900aecd8009a16f.html#fips
Similar Messages
-
Java 8 64 bit on Windows with NSS for FIPS 140 compliance
I have asked this question on Stackoverflow but I am beginning to think that this may be a better forum to ask.
According to JEP 131, Java 8 should provide a PKCS#11 Crypto provider for 64 bit Windows: https://blogs.oracle.com/mullan/entry/jep_131_pkcs_11_crypto.
With that in mind, I downloaded and built both 32 and 64 bit versions of NSS with NSPR using these instructions: https://developer.mozilla.org/en-US/docs/NSS_Sources_Building_Testing
I downloaded Java 8 for Windows 64 build b118, configured the java.security file and created a nss.cfg file:
Excerpt from java.security file:
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.pkcs11.SunPKCS11 /devel/nss.cfg
From my nss.cfg file:
# Use NSS as a FIPS-140 compliant cryptographic token
# SunPKCS11-NSS
name = NSS
#32 bit
#nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_DBG.OBJ\lib
#64 bit
nssLibraryDirectory = C:\devel\nss\nss-3.15.3.1\dist\WINNT6.1_64_DBG.OBJ\lib
#non FIPS
#nssDbMode = noDb
#attributes = compatibility
#FIPS
nssSecmodDirectory = c:\devel\fipsdb
nssModule = fips
I ran the test suite that comes with NSS and it looks like all of the encryption/decryption tests passed (did have some issues with the tests that required hostname/domainname but that has to do with the Windows environment).
So here is the problem. I run my test encryption app on Java 7 32 bit with the 32 bit version of NSS and everything works great. When I attempt to run Java 8 64 bit with 64 bit NSS I get the following error:
java.security.ProviderException: Could not initialize NSS
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:212)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:103)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getIndex(Unknown Source)
at sun.security.jca.ProviderList.getProviderConfig(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at java.security.Security.getProvider(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at sun.security.ssl.SunJSSE.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.Provider.<init>(Unknown Source)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.lang.reflect.Constructor.newInstance(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at sun.security.jca.ProviderConfig$2.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jca.ProviderConfig.doLoadProvider(Unknown Source)
at sun.security.jca.ProviderConfig.getProvider(Unknown Source)
at sun.security.jca.ProviderList.getProvider(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.tryGet(Unknown Source)
at sun.security.jca.ProviderList$ServiceList.access$200(Unknown Source)
at sun.security.jca.ProviderList$ServiceList$1.hasNext(Unknown Source)
at javax.crypto.KeyGenerator.nextSpi(KeyGenerator.java:323)
at javax.crypto.KeyGenerator.<init>(KeyGenerator.java:158)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:208)
at STSAESEncryption.generateKeyWithGenerator(STSAESEncryption.java:74)
at Main.main(Main.java:24)
Caused by: java.io.IOException: %1 is not a valid Win32 application.
at sun.security.pkcs11.Secmod.nssLoadLibrary(Native Method)
at sun.security.pkcs11.Secmod.initialize(Secmod.java:210)
at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:207)
... 36 more
Has JEP 131 been implemented with Windows/Java 64 bit as of b119? If so has it been verified to work with NSS or should I submit a bug report? I did download the code and the error is occurring in the following block of code at the line in bold (also with the arrow by it):
public synchronized void initialize(DbMode dbMode, String configDir,
String nssLibDir, boolean nssOptimizeSpace) throws IOException {
if (isInitialized()) {
throw new IOException("NSS is already initialized");
if (dbMode == null) {
throw new NullPointerException();
if ((dbMode != DbMode.NO_DB) && (configDir == null)) {
throw new NullPointerException();
String platformLibName = System.mapLibraryName("nss3");
String platformPath;
if (nssLibDir == null) {
platformPath = platformLibName;
} else {
File base = new File(nssLibDir);
if (base.isDirectory() == false) {
throw new IOException("nssLibDir must be a directory:" + nssLibDir);
File platformFile = new File(base, platformLibName);
if (platformFile.isFile() == false) {
throw new FileNotFoundException(platformFile.getPath());
platformPath = platformFile.getPath();
if (configDir != null) {
File configBase = new File(configDir);
if (configBase.isDirectory() == false ) {
throw new IOException("configDir must be a directory: " + configDir);
File secmodFile = new File(configBase, "secmod.db");
if (secmodFile.isFile() == false) {
throw new FileNotFoundException(secmodFile.getPath());
if (DEBUG) System.out.println("lib: " + platformPath);
---> nssHandle = nssLoadLibrary(platformPath);
if (DEBUG) System.out.println("handle: " + nssHandle);
fetchVersions();
if (supported == false) {
throw new IOException
("The specified version of NSS is incompatible, "
+ "3.7 or later required");
if (DEBUG) System.out.println("dir: " + configDir);
boolean initok = nssInitialize(dbMode.functionName, nssHandle,
configDir, nssOptimizeSpace);
if (DEBUG) System.out.println("init: " + initok);
if (initok == false) {
throw new IOException("NSS initialization failed");
this.configDir = configDir;
this.nssLibDir = nssLibDir;
Any help or advise about filing a bug report would be appreciated.
Thanks,Had a few similar short system freezes, after installing Windows 8 x64 on 13” MacBook Pro Mid-2010 with BootCamp 5.0.5033.
There is a suggestion that DisableDynamicTick may fix the problem: https://discussions.apple.com/message/21565295#21565295. There were similar topics at Microsoft forums: 1, 2, 3. It was said “that this will likely reduce system battery life, so it should be undone when you update your Windows build or if it doesn't resolve your issue”, and that “this problem is resolved in the release versions of Windows 8”.
Another possibility is that there is indeed a buggy driver, within BootCamp 5.0.5033, or a 3rd party, like a wireless network driver in the following case http://answers.microsoft.com/en-us/windows/forum/windows_8-performance/system-fr eeze-randomly-after-installing-windows-8/49488183-26cf-4389-af21-a85dc366c99a?pa ge=2#LastReply.
The problem has been noticeable on my MacBook, but not annoying enough yet to spend time troubleshooting. If you find a robust solution, using the links above or other method, it would be interesting to know.
HTH -
How to change the Windows Registry to enable FIPS 140 in Acrobat Pro XI?
Is there a set of instructions that identifies the registry key to enable FIPS 140?
http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/AVGeneral.html#FIPSCompl iance
Also some general info: 2 Pre-deployment Configuration — Digital Signatures Guide for IT
hth,
Ben -
FIPS 140-2 encryption for Acrobat 9 Pro on Mac?
I wonder if anyone can help? I need to send documents using the FIPS 140-2 standard. Is this possible on Mac I read somewhere that it isn't!! I don't want to buy another piece of software (i.e. PGP). Any suggestions? Needs to be fairly step by step help.
Many thanks.
RuralTimFIPS for Acrobat is indeed a Windows only feature.
see page 112 of this pdf: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993&promoid=DTEHS
Can only suggest to setup a vm image of windows and download a trial of either Acrobat Pro 9 or APEX for inwdows and do it there. -
Is DBMS_CRYPTO FIPS 140-2 certified?
Sadly, I think that the answer is no. I am hoping someone more knowledgeable can contradict me. This link describes the Oracle Database FIPS certification status.
http://www.oracle.com/technology/deploy/security/seceval/oracle-fips140-validations.html.
This is the linked to certificate which applies to Oracle Cryptographic Libraries for SSL.
http://www.oracle.com/technology/deploy/security/seceval/pdf/140crt861.pdf
I have found nothing that includes DBMS_CRYPTO under Oracle Cryptographic Libraries for SSL. This link might imply that it is not, but I am unclear what might apply to DBMS_CRYPTO.
http://www.oracle.com/technology/deploy/security/as_security/sslfipsfaq_r1.html
Is Oracle Advanced Security’s SSL adapter also included in this FIPS evaluation?
No. Oracle SSL libraries that is only included in Oracle Application Server 10g (9.0.4) alone has received this FIPS 140-2 certification. We are considering evaluation of the Oracle SSL libraries included in the Oracle Database at the earliest.
So in summary, it appears that Oracle has gone through the work to certify the Java libraries, but not the PL/SQL library.
TIA
Edited by: rmonical on May 26, 2009 4:12 PMThe best source of Oracle online documentation is http://tahiti.oracle.com.
If you go there and search, I did it under 10gR2, for "FIPS" you will find a tremendous amount of material with respect to the Oracle Database and FIPS.
And unless I misunderstand your question you are totally incorrect.
The Oracle database is in full compliance with FIPS 127-2. -
Time Table for File Vault 2 FIPS-140-2 Certification
I believe I read something that Lion/File Vault 2 encryption was submitted to NIST for FIPS-140-2 certification. I know that IOS 5 is first to be certified, but does anyone know the time table for Lion/File Vault 2 to be certified? I was told a few months ago that it would be certified by 12/31/2011. Any update would be appreciated.
Disclosure: I work for NIST, but not in the Computer Security Div. (the group that issues the certificates).
Looking at the NIST list of validated modules, Lion's crypto module recieved its certification on 3/30/12, but I don't know if this applies to all apps or just the libraries. It doesn't apply to 3rd party apps yet (note says it will be re-evaluated for that use). I wouldn't think File Vault is a "third party" app.
I'll post more if I find out anything. -
Is Solaris 10 apache package fips-140-2 compatible?
I've been going around and around with a remote sys admin that insists that we use the Solaris 10 apache package for our webserver. At first glance, it does not appear to be fips compatible. He points to the "crypt" command as being compatible and therefore concludes that apache is too. If apache has been updated to use newer OpenSSL it could be but the Solaris 10 included OpenSSL is version 0.9.7d which does not appear to include SHA-256 or other fips hashes.
Hi,
for a FIPS-140 version of OpenSSL libraries you need to update to at least Solaris 11.2.
Regards,
Ronald -
Error when installing certificate - FIPS-140 compliance.
Hi,
I am having an issue installing a certificate on my LaserJet M750 printer. The error is: "The cryptographic algorithms used in the ID or CA certificate do not comply with FIPS-140."
We can recreate the issue by:
converting cert and key to pfx
selecting "Networking"
login
selecting "Certificates"
selecting "Configure under Jetdirect Certificate".
selecting "Import Certificate and Private Key".
selecting "Browse" and choosing converted pfx file.
provide password and select finish.
Any help is greatly appreciated. I can provide more information if necessary.
Thanks!
BLIf your phone doesn't work (can't turn on), try a hard reset.Turn off your phone. Press and hold three keys together, the green, the * key, and the number 3.Then turn on your phone and don't let the keys before you see the nokia hands logo (or the formatting screen).
If you want to thank someone, just click on the blue star at the bottom of their post -
SunJCE compliant to FIPS-140-2 standard or not?
Hi Folks,
I am using encryption/ decryption (DES and AES) in my project .
For that I am using javax.crypto and javax.crypto.spec package and the security provider used is SUNJCE.
Please let me know whether JDK is compliant to the FIPS 140-2 standard or not. If it is compliant , also let me know from which version of JDK onwards it will compliant to that standard.
Look forward your reply soon.
Thanks
R.RavikumarHi ,
Thanks for your immediate response. I really appriciate that.
I search in the google and found that IBM's versions of JSSE and JCE have been FIPS 140-2 certified, and are FIPS 140-2 compliant.
I can see the same in the below link
http://csrc.nist.gov/cryptval/140-1/1401vend.htm
And I didn't see the SunJCE in the above link and it seems that Sun's versions of JSSE and JCE are not FIPS 140-2 cmpliant.
Also I see the link which you have pointed out in the earlier, it seems JCE of JDK1.6 is compliant to FIPS 140-2.
I am really confused, Please let me know your thoughts on that.
Look forward your response.
Thanks
R.Ravikumar -
Mountain Lion finally FIPS 140-2 approved
I have seen no press coverage about this nor mention here in the forums, nor announcement by Apple. Perhaps even Apple are as yet unaware of this
Mountain Lion and iOS 6 have both finally received offical FIPS 140-2 certification. You can see this by going to the following page and searching for Apple.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
This should mean it is now possible to use FileVault2 instead of third-party equivalents such as PGP or CheckPoint or Sophos or WinMagic.
(Have I got a news scoop here )
PS. The following article will also be important - http://support.apple.com/kb/ht5396NSS is a set of security libraries written in C so you can certainly use C APIs to access it as well. JSS is the Java interface to NSS. You can either use the JSS API directly or use Sun's PKCS11 wrapper which gives you access to most of the NSS functionalities.
-
Is PhoneFactor compliant with FIPS 140-2 Security Level 1?
Hi, I'm looking for a "hard token" two-factor authentication solution for a medical application. I have a firm external requirement that the hard token used must "meet FIPS 140-2 Security Level 1 for cryptographic devices."
Given that a cell phone is not a cryptographic device, per se, can I assume that use of PhoneFactor would not meet this requirement? Or would it?
Thanks,
-DennisWindows Azure Multi-Factor Authentication (formerly PhoneFactor) has not been FIPS 140-2 certified because FIPS 140-2 doesn't apply to the solution.
Has there been any updates on expanding Azure and getting it FIPS 140-2 certified? -
Are JSSE or JCE FIPS 140 compliant ?
I have looked throught as much documentation as I can handle trying to find out if these packages are FIPS 140 compliant. I cannot find anything. I have looked at the web page http://csrc.nist.gov/cryptval/140-1/140val-all.htm and do not see anything from Sun as being approved. This is unfortunate and suprising to me that Sun has not put their own code through the approval process. Therefore I am unable to use the JSSE and JCE, and must use RSA BSAFE, which costs a fortune.
Can anyone shed some light on this topic.
...Thank you.
MarkI looked into this issue extensively last fall as we have a requirement
to use a NIST certified encryption algorithm. At that time, the
descriptions of Cert#s 247 & 248 in the table at
http://csrc.nist.gov/cryptval/140-1/140val-all.htm looked very
different. In fact, a reference to
http://www.mozilla.org/projects/security/pki/nss/ appeared in the
description as a means of obtaining a copy of NSS. I downloaded a
version of NSS and attempted to use it (along with the JSS package
also available at the mozilla site). After experimenting with NSS and
JSS for some time, I just could not get it to work (can't recall now
exactly what the issues were at that time).
We abandoned the NSS approach with the expectation of obtaining a
temporary exemption of this requirement; however, this requirement has
now come full circle and is back on my plate. If we have to purchase
a third-party tool, so be it; however, it would sure be nice to hear
from the source exactly what, if anything, is occurring with regards
to NIST certification. Thanks.
-Mark
I have looked throught as much documentation as I can
handle trying to find out if these packages are FIPS
140 compliant. I cannot find anything. I have looked
at the web page
http://csrc.nist.gov/cryptval/140-1/140val-all.htm and
do not see anything from Sun as being approved. This
is unfortunate and suprising to me that Sun has not
put their own code through the approval process.
Therefore I am unable to use the JSSE and JCE, and
must use RSA BSAFE, which costs a fortune.
Can anyone shed some light on this topic.
...Thank you.
Mark -
ILOM and FIPS 140-2 encryption
Is it possible to configure Sun Integrated Lights Out Manager v3 to use encryption algorithms that are certified as FIPS 140-2 compliant?
FIPS for Acrobat is indeed a Windows only feature.
see page 112 of this pdf: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3993&promoid=DTEHS
Can only suggest to setup a vm image of windows and download a trial of either Acrobat Pro 9 or APEX for inwdows and do it there. -
FIPS 140-1 and FIPS 140-2 cryptographic module certification
Has Apple submitted its 128-bit AES encryption module to the Cryptographic Standards and Validation Programs at NIST for certification? If so, and even if under another vendor's name, has it been certified and thus could I have the validation certificate # and module name?
I work for a Federal agency that requires that on-disk encryption of protected information be done so with a FIPS 140 certified module in FIPS 140-compliant operation. I fear having to stop using my Macintoshes and having to switch to Windows XP in order to comply.Hi, Courtney. Welcome to the Discussions.
See Apple's "IT Pro - Government" page. If you don't find what you need there, there's a link to e-mail the Apple Federal Security Team re: FIPS 140-2.
Good luck!
Dr. Smoke
Author: Troubleshooting Mac® OS X -
SafeGuard PrivateDisk FIPS 140-2 compliant?
Hello. Got a new client that needs a laptop that complies with FIPS 140-2. It appears that SafeGuard Easy has indeed been awarded the necessary validation but I can't figure out if Thinkvantage's PrivateDisk is compliant as well.
Is there a ThinkPad (with or without ThinkVantage) available that utilizies certified 140-2 encryption?
ThanksI believe that the UC500 itself is not certified, but all the components that make it (IOS, IPSEC, encrypted voice, etc) are there and are certified.
http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html
Maybe you are looking for
-
Credit block order which is release once
hi gurus My requirement is ____ my Clint release order form credit block and give a credit note.But again they want to block that order for credit. Means they create order,delivery,billing and release the order from credit block.But now they again w
-
Optical drive (CD/DVD burner) not detected by Windows - dv9812us
I've been dealing with the same or at least a similar situation for the past week. I've got an HP dv9812us running Vista home premium SP 2. The drive is detected by the BIOS because it attempts to boot from the drive, the light blinks, and you can o
-
Packets sent out the wrong Interface on Hyper-V 2012 Failover Cluster
Here is some background information: 2 Dell PowerEdge servers running Windows Server 2012 w/ Hyper-V in a Failover Cluster environment. Each has: 1 NIC for Live Migration 192.168.80.x/24 (connected to a private switch) 1 NIC for Cluster Communicatio
-
Having already downloaded Lion on to my hard drive, I would like to have an external copy available. I would like to have this on a USB drive. When I go into the App Store, the link shows I have already downloaded and I am not allowed to do so agai
-
Maximum encrypted message size
Hi all, What is the largest size message that can be encrypted by the IronPort ESA PXE engine? Is this a configurable parameter? Thanks very much, - Steve