IntroductionFIPS support

FIPS support

BlueZone Desktop uses one or more FIPS 140-2 validated cryptographic modules for encryption and decryption. The exact modules used depend on the Windows operating system in use, and in the case of secure host sessions, on the session's configured security settings. For file or password encryption, BlueZone uses the Microsoft Crypto API. For secure host sessions, BlueZone uses (based on session configuration) either: The OpenSSL FIPS Object Module by Open Source Software Institute, or The Microsoft Crypto API.

The master list of FIPS 140-2 validation certificates can be found at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.

Some of the FIPS 140-2 validation certificates for the Microsoft Crypto API are:

  • #893 - Windows Vista Enhanced Cryptographic Provider

  • #989 - Windows XP Enhanced Cryptographic Provider

  • #1330 - Windows 7 Enhanced Cryptographic Provider

  • #1894 - Windows 8 Enhanced Cryptographic Provider

Note: Different Windows operating systems, or different revisions of the above operating systems, may have different or additional certificates, consult the master list at the website above.
The cryptographic modules above must be put into FIPS mode in order to operate in a manner consistent with their FIPS 140-2 validations. The Microsoft Crypto API modules' FIPS settings can be found and changed through the Windows Control Panel. Windows 7: Control Panel, Administrative Tools, Local Security Policy, Local Policies, Security Options, System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms. FIPS mode can also be found and changed directly through the registry by setting:

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled (Windows Vista and later)

  • HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy (earlier Windows versions)

If Windows is operating in FIPS mode, then BlueZone's cryptographic functions using the Crypto API will operate in FIPS mode.

BlueZone's cryptographic functions using the OpenSSL FIPS Object Module depend on whether BlueZone is installed in FIPS mode or not. This is controlled by the following settings in the [BZSetup] section of the setup.ini file: 
FIPSMode=Yes 
FIPSMode=No

The BlueZone FIPS mode setting can be determined by viewing the About Box in a BlueZone module which supports secure sessions (Mainframe, iSeries, VT, FTP). In Mainframe and iSeries sessions, the About tab in the Connection Properties contains the FIPS mode settings for both OpenSSL and Windows.

The following BlueZone features are disabled when in FIPS mode:

  • SSH

  • SSLv3

  • VT single sign on using Kerberos

  • iSeries sign on screen bypass using DES or Kerberos

Parent topic: Introduction

Related topics
Enabling FIPS mode support