Federal Information Processing Standard (FIPS)

The United States Government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in 11 categories by independent, U.S. Government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of validated products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at: http://csrc.nist.gov/groups/STM/cmvp/validation.htm.

To configure Reflection for Secure IT to run in FIPS mode, select Use only FIPS-140 certified cryptography algorithms from the Encryption pane.

Note: You need to restart the server after changing FIPS mode for the change to take effect.


Enabling FIPS Mode has the following effects:

  • All connections must be made using algorithms that meet FIPS 140-2 standards. Algorithms that don't meet these standards are not available, except where these algorithms are allowed by NIST for legacy compatibility.
  • Minimum public key sizes for both user and host keys and certificates are reset from the default of 512 bits up to 1024 bits. Previously configured keys that do not meet this threshold will not be used.
  • If the Windows FIPS Local Policy Flag ('Use FIPS compliant algorithms for encryption, hashing, and signing') is not enabled, host certificates from the Windows local computer must have exportable private keys to be used for server authentication. If the Windows FIPS Local Policy Flag is enabled, the server allows use of any certificate that meets FIPS standards.

    Note: To ensure that your version of Windows is correctly configured and uses FIPS-validated modules, refer to Microsoft FIPS 140 documentation (http://technet.microsoft.com/en-us/library/cc750357.aspx).

  • Because Reflection for Secure IT cannot verify the FIPS status of SecurID, GSSAPI/SSPI, and RADIUS binaries, these authentication methods need to be manually disabled by the system administrator if they are not FIPS validated.

Related Topics

Supported Cryptographic Algorithms