FIPS Mode

The United States Government's Federal Information Processing Standard (FIPS) 140-2 specifies security requirements for cryptographic modules. Cryptographic products are validated against a specific set of requirements and tested in 11 categories by independent, U.S. Government-certified testing laboratories. This validation is then submitted to the National Institute of Standards and Technology (NIST), which reviews the validation and issues a certificate. In addition, cryptographic algorithms may also be validated and certified based on other FIPS specifications. The list of validated products and the vendor's stated security policy (the definition of what the module has been certified to do) can be found at: http://csrc.nist.gov/groups/STM/cmvp/validation.htm.

To configure Reflection for Secure IT to run in FIPS mode, use the FipsMode keyword. This keyword is supported for both the client and server.

Note: If you change the FipsMode setting on the server, you need to restart the server for the change to take full effect. A SIGHUP signal puts new sessions into FIPS-mode, but does not affect existing connections.)

Enabling FIPS Mode has the following effects:

• All connections must be made using algorithms that meet FIPS 140-2 standards. Algorithms that don't meet these standards are not available, except where these algorithms are allowed by NIST for legacy compatibility.
• The minimum public key size allowed for authenticating for both users and hosts is reset from the default of 512 bits up to 1024 bits.
• Because Reflection for Secure IT cannot verify the FIPS status of SecurID, GSSAPI, and RADIUS binaries, these authentication methods need to be manually disabled by the system administrator if they are not FIPS validated. To ensure that you have disabled all PAM authentication methods that are not FIPS validated, disable PAM (UsePAM=no) in the server configuration file (/etc/ssh2/sshd2_config).