forum traveling

Celestial Software

...better by design

Home Support Online Help SSH Features FIPS 140-2 encryption in AbsoluteTelnet/SSH version 7

FIPS 140-2 encryption in AbsoluteTelnet/SSH version 7

E-mail Print

Starting with AbsoluteTelnet / SSH version 7, AbsoluteTelnet will be using a FIPS 140-2 validated cryptographic library for SSH2 connectivity.  This guarantees all users the highest level of security available.  To help explain what FIPS 140-2 is and why you would want it, I've assembled the following FAQ:


  • What is FIPS 140-2?

FIPS 140-2 is a government encryption standard published by the NIST.  It defines standards for testing, validating, and certification of cryptography modules.  Independent labs test crypto modules for conformance with the standard and if they pass the testing, the modules may obtain 'certified' status.  The full text of the specification can be found at the NIST WEBSITE.  AbsoluteTelnet uses the Crypto++ cryptography module (cert# 819) which has been validated as FIPS 140-2 compliant.  Information, including source code, for the module can be found at the Crypto++ WEBSITE.  The certificate can be viewed from the NIST site here.

  • What is a 'validated' cryptographic module? 

Validated cryptographic modules are software components (usually dlls or shared libraries) that have been validated to be FIPS 140-2 compliant.  Validation is performed by accredited labs to ensure compliance.  AbsoluteTelnet uses a validated crypto module at the heart of all SSH2 operations (see above).  More information about module validation, it's purpose and applicability can be found here.

  • Why would I need FIPS 140-2 validated software?

FIPS 140-2 validated software is REQUIRED for any government, military, or federal use by both the United States and Canada.  If encryption is in use in these environments, it MUST BE validated encryption.  Unvalidated encryption is considered to be no different than using no encryption at all.

For those of us outside of the military and government, FIPS 140-2 validation just means that we're using good secure software that has been tested and validated by a an accredited third party.  These assurances give users of AbsoluteTelnet/SSH a higher degree of security that unvalidated commercial or  Open Source products can provide.

  • What version of AbsoluteTelnet/SSH include FIPS validated encryption?

All versions of AbsoluteTelnet beginning with version 7 and above include FIPS 140-2 validated cryptography module for SSH2 communications.  All services, including X11 forwarding, port forwarding, and SFTP that use SSH2 encrypted sessions also use the FIPS 140-2 validated encryption.

  • How do I enable FIPS mode in AbsoluteTelnet/SSH?

FIPS mode can be turned on and off using the "FIPS 140-2" mode option under Options->Properties->Connection->SSH2->Encryption.  The use of this mode, however is controlled in part by options you choose at install time.  During the install, you are given a choice of three modes of operation:

  1. Enforced: All SSH2 connections will use FIPS mode.  FIPS mode cannot be disabled.
  2. Recommended:  By default, all new SSH2 connections that are created will use FIPS mode, but you can turn it off if you wish.
  3. Optional:  By default, SSH2 connections will NOT use FIPS mode unless you explicitly turn it on.


  • What restrictions does FIPS mode place on SSH2 operation?

When run in FIPS mode, AbsoluteTelnet uses only crypto algorithms available in the validated Crypto++ module.  This means that the encryption algorithm list is limited to AES and Triple-DES.  Because the SSH protocol allows encryption algorithms to be chosen on the fly and negotiated with the host, you might not even notice a difference between FIPS mode and non-FIPS mode.  If, for some reason, you require one of the other encryption algorithms supported by AbsoluteTelnet/SSH (blowfish, twofish, cast128, RC4), you must disable FIPS mode as these algorithms are not supported by the validated module.

  • Can I use SSH version 1 in FIPS mode?

No.  SSH1 is deprecated for all uses where SSH2 is available as a substitute.  SSH1 is still supplied as a supported protocol for backward compatibility, but uses a different (non validated) encryption library.  Due to the expense involved, it is not reasonable to provide FIPS certification for this module.


Last Updated on Thursday, March 05, 2009 03:57 pm  

Recent Forum Posts

info in Secure Shell by bpence, Oct 25, 2018 07:53 am
info in AbsoluteTelnet General by bpence, Sep 05, 2018 05:14 pm
info in Secure Shell by bpence, Jul 20, 2018 04:42 pm
info in Secure Shell by bpence, Jul 13, 2018 08:27 am
info in AbsoluteTelnet General by mod apk android, Sep 05, 2017 01:01 pm
I've tried lots of different telnet/ssh clients, and I have two long-time favorites: Putty and Absolute Telnet. Putty, because it's such a quick download that on someone else's machine i can run it without going through an install, and it runs ssh. But for my own machine, the only choice is Absolute Telnet. It stores my password, terminal appearance and connection settings so that it's literally 2 seconds from clicking the icon to being logged in to my remote ssh accounts. It's incredibly customizeable, but not overwhelmingly so. I hardly ever pay for software (I'm embarassed to say), but I like Absolute Telnet so much I've paid for the full version and I'm glad I did. It's important to note that this software is maintained by one guy, Brian Pence, who personally answers people's questions on his online forum and answers email inquiries (he's answered a couple of mine, and always been really helpful). I gotta say, you hardly ever get this kind of commitment and personal touch in software anymore. --Ben Wheeler