MNWA
Reputation: 131
How to make existing Java code FIPS 140-2 compliant?
We have some Java library performing AES and RSA encryptions (using javax.crypto.Cipher).
A new requirement came in to make the code FIPS 140-2 compliant. Reading some articles what I understood is that I have to change the followings in the java.security file in JDK/JRE and recompile the code. Will that make my library FIPS 140-2 compliant?
#Use these three providers for FIPS compliant
security.provider.1=com.rsa.jsafe.provider.JsafeJCE
security.provider.2=com.rsa.jsse.JsseProvider
security.provider.3=sun.security.provider.Sun
#Disable the below providers for FIPS compliant
#security.provider.1=sun.security.provider.Sun
#security.provider.2=sun.security.rsa.SunRsaSign
#security.provider.3=sun.security.ec.SunEC
#security.provider.4=com.sun.net.ssl.internal.ssl.Provider
#security.provider.5=com.sun.crypto.provider.SunJCE
#security.provider.6=sun.security.jgss.SunProvider
#security.provider.7=com.sun.security.sasl.Provider
#security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
#security.provider.9=sun.security.smartcardio.SunPCSC
#security.provider.10=sun.security.mscapi.SunMSCAPI
Is there any other changes I need to perform, like using any special jar, compiling with any argument, etc.?
Upvotes: 6
Views: 7369
Answers (1)
cactuschibre
Reputation: 2375
To be FIPS 140-2 compliant:
- You have to use a FIPS 140-2 approved cryptographic modules. It will provides the approved cryptographic implementations. See: https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140val-all.htm. Read the description and/or the certificate to know the version to use.
- For each cryptographic operations (signature, encryption, key establishment, hashing ...) you also have to use approved security algorithms and parameters. Read: https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402annexa.pdf. The document provides also a lot of references about the configuration of the security functions (key size, elliptic curve, ...).
For your case:
- AES128, AES192 or AES256 for encryption, with operation mode GCM, CCM, CTR, CBC, CFB, OFB (Or XTS for storage).
- RSA for Key Establishment or Signature with key size of 2048 bits minimum.
Upvotes: 3
Related Questions
- How do I check for FIPS compliance at compile time?
- Which JCE providers are FIPS 140-2 compliant?
- What is compliance with FIPS 140-2 in CRYPTOPP?
- Configure Oracle JDK to use IBM JCE/JSSE providers for FIPS compliance
- How to set Oracle JDK support FIPS mode
- FIPS Compliance for my Android project
- Java 8 64 bit on Windows with NSS for FIPS 140 compliance
- OpenSSL FIPS 140-2 Compliance with Tomcat 5 or any version
- What are the benefits of using fips for the JCE?
- What does it mean for an application to be FIPS 140 compliant?