Enabling FIPS-140 compliance for Java based SSL/TLS applications

FIPS-140* compliance has gained overwhelming attention these days and it has become a mandatory requirement for several security sensitive applications (mostly in Government and Security solutions and recently with select finance industry solutions and particularly for achieving compliance with regulatory mandates such as PCI DSS, FISMA, HIPPA, etc ). FIPS-140 also helps defining security requirements for supporting integration with cryptographic hardware and software tokens.  Ensuring FIPS compliance to Java based application security has been one of demanding needs of security enthusiasts but unfortunately neither Sun JCE or JSSE is not yet FIPS-140 certified – hopefully soon !  Sun JDK 6 (and above) has also introduced several enhancements including support for enabling FIPS-140 compliance for Sun JSSE using FIPS-140 certified cryptographic providers for supporting SSL/TLS communication and associated cryptographic operations. To accomplish this, Java 6 uses the PKCS#11 support for JSSE to integrate with PKCS#11 based FIPS-140 cryptographic token.

 

Lately I worked on a security solution using SunJSSE with NSS as a software cryptographic token… and here is my tipsheet for those keen on playing FIPS conformance with SunJSSE.

 

  • SunJSSE can be configured to run on FIPS-140 compliant mode as long as it uses a FIPS-140 certified cryptographic hardware or software provider that implements all cryptographic algorithms required by JSSE  (ex. Network Security Services – NSS, Sun Cryptographic Accelerator 6000, nCipher, etc).

 

  • To enable FIPS mode, edit the file ${java.home}/lib/security/java.security and modify the line that lists com.sun.net.ssl.internal.ssl.Provider and associate the name of the FIPS-140 cryptographic provider (ex. SunPKCS11-NSS). The name of the provider is a string that concatenates the prefix SunPKCS11- with the name of the specified PKCS#11 provider in its configuration file.

                            security.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS

 

  • In case of using NSS as cryptographic software token (Make use of NSS 3.1.1. or above), assuming the libraries are located under the /opt/nss/lib directory and its key database files  (with the suffix .db) are under the /opt/nss/fipsdb directory, the sample configuration for representing NSS will be as follows:
                           # Use NSS as a FIPS-140 compliant cryptographic token 
                           # SunPKCS11-NSS
                          name = NSS
                          nssLibraryDirectory = /opt/nss/lib
                          nssSecmodDirectory = /opt/nss/fipsdb
                          nssModule = fips
  • In FIPS mode, SunJSSE will perform SSL/TLS 1.0 based communication and cryptographic operations including symmetric and asymmetric encryption, signature generation and verification, message digests and message authentication codes, key generation and key derivation, random number generation, etc.
  • To refer to the SunJSSE supported Ciphersuites suites refer to the Sun JSSE’s documentation and notes for FIPS guidance.

 

* FIPS-140 is a US Federal data security standard approved by the National Institute of Standards and Technology (NIST) – The current version is FIPS-140-2. All US government agencies are mandated to use only FIPS-conformant/validated products for deploying security sensitive applications and solutions.

5 thoughts on “Enabling FIPS-140 compliance for Java based SSL/TLS applications

  1. Sanj

    Hi Ramesh,

    Thanks for a set of very good infomative blogs.

    I found that there seems to be no good detailed document on how to enable the FIPS compliance in Java.

    The SUN documentation also does not explain detailed steps involved.

    Please can you blog/share on the detailed procedure and the how it actually work.

    Thanks and Regards,
    Sanj

    Reply
  2. Prasad

    Hi ramesh,

    Please can you blog/share on the detailed procedure and the how it actually work.

    regards
    Yaramati

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *