FIPS-Certified Cryptographic Library

Tectia Client, ConnectSecure, and Server can be operated in FIPS mode, using a version of the cryptographic library that has been certified according to the Federal Information Processing Standard (FIPS) 140-2.

The full OpenSSL cryptographic library is distributed with Tectia Client, ConnectSecure, and Server. However, only the algorithms provided by the fipscanister object in the library are used by Tectia Client, ConnectSecure, and Server. The OpenSSL FIPS-certified cryptographic library is used to provide the following classes of functions:

Table 3.1. APIs used from the OpenSSL library

APIDescriptionFunctions from OpenSSL
Random numbersFIPS-approved AES PRNG based on ANSI X9.32 is used from the OpenSSL library.FIPS_rand_*
AES ciphersVariants: ecb, cbc, cfb, ofb, ctrAES_*
DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
3DES ciphersVariants: ecb, cbc, cfb, ofbDES_*
Math libraryBignum math library used by OpenSSL.BN_*
Diffie Hellman DH_*
Hash functionsVariants: sha1, sha-224, sha-256, sha-384, sha-512SHA1_*, SHA256_*, SHA512_*
Public KeyVariants: rsa and dsaRSA_*, DSA_*

No certificate functions are used from the OpenSSL library. Tectia provides its own certificate libraries.

The FIPS 140-2 Cryptographic Library is available on the operating systems supported by Tectia, except for Tectia Server for Linux on IBM System z and Tectia Server for IBM z/OS which do not support OpenSSL FIPS-certified cryptographic libraries. They support hardware acceleration on FIPS cryptographic operations.