FIPS 140-2 encryption in AbsoluteTelnet/SSH version 7

Monday, March 02, 2009 07:14 pm Brian T. Pence
Print

Starting with AbsoluteTelnet / SSH version 7, AbsoluteTelnet will be using a FIPS 140-2 validated cryptographic library for SSH2 connectivity.  This guarantees all users the highest level of security available.  To help explain what FIPS 140-2 is and why you would want it, I've assembled the following FAQ:

 

FIPS 140-2 is a government encryption standard published by the NIST.  It defines standards for testing, validating, and certification of cryptography modules.  Independent labs test crypto modules for conformance with the standard and if they pass the testing, the modules may obtain 'certified' status.  The full text of the specification can be found at the NIST WEBSITE.  AbsoluteTelnet uses the Crypto++ cryptography module (cert# 819) which has been validated as FIPS 140-2 compliant.  Information, including source code, for the module can be found at the Crypto++ WEBSITE.  The certificate can be viewed from the NIST site here.

Validated cryptographic modules are software components (usually dlls or shared libraries) that have been validated to be FIPS 140-2 compliant.  Validation is performed by accredited labs to ensure compliance.  AbsoluteTelnet uses a validated crypto module at the heart of all SSH2 operations (see above).  More information about module validation, it's purpose and applicability can be found here.

FIPS 140-2 validated software is REQUIRED for any government, military, or federal use by both the United States and Canada.  If encryption is in use in these environments, it MUST BE validated encryption.  Unvalidated encryption is considered to be no different than using no encryption at all.

For those of us outside of the military and government, FIPS 140-2 validation just means that we're using good secure software that has been tested and validated by a an accredited third party.  These assurances give users of AbsoluteTelnet/SSH a higher degree of security that unvalidated commercial or  Open Source products can provide.

All versions of AbsoluteTelnet beginning with version 7 and above include FIPS 140-2 validated cryptography module for SSH2 communications.  All services, including X11 forwarding, port forwarding, and SFTP that use SSH2 encrypted sessions also use the FIPS 140-2 validated encryption.

FIPS mode can be turned on and off using the "FIPS 140-2" mode option under Options->Properties->Connection->SSH2->Encryption.  The use of this mode, however is controlled in part by options you choose at install time.  During the install, you are given a choice of three modes of operation:

  1. Enforced: All SSH2 connections will use FIPS mode.  FIPS mode cannot be disabled.
  2. Recommended:  By default, all new SSH2 connections that are created will use FIPS mode, but you can turn it off if you wish.
  3. Optional:  By default, SSH2 connections will NOT use FIPS mode unless you explicitly turn it on.

 

When run in FIPS mode, AbsoluteTelnet uses only crypto algorithms available in the validated Crypto++ module.  This means that the encryption algorithm list is limited to AES and Triple-DES.  Because the SSH protocol allows encryption algorithms to be chosen on the fly and negotiated with the host, you might not even notice a difference between FIPS mode and non-FIPS mode.  If, for some reason, you require one of the other encryption algorithms supported by AbsoluteTelnet/SSH (blowfish, twofish, cast128, RC4), you must disable FIPS mode as these algorithms are not supported by the validated module.

No.  SSH1 is deprecated for all uses where SSH2 is available as a substitute.  SSH1 is still supplied as a supported protocol for backward compatibility, but uses a different (non validated) encryption library.  Due to the expense involved, it is not reasonable to provide FIPS certification for this module.

 

Last Updated on Thursday, March 05, 2009 03:57 pm