forum traveling

Celestial Software

...better by design

Home Support Online Help SSH Features FIPS 140-2 encryption in AbsoluteTelnet/SSH version 7

FIPS 140-2 encryption in AbsoluteTelnet/SSH version 7

E-mail Print

Starting with AbsoluteTelnet / SSH version 7, AbsoluteTelnet will be using a FIPS 140-2 validated cryptographic library for SSH2 connectivity.  This guarantees all users the highest level of security available.  To help explain what FIPS 140-2 is and why you would want it, I've assembled the following FAQ:


  • What is FIPS 140-2?

FIPS 140-2 is a government encryption standard published by the NIST.  It defines standards for testing, validating, and certification of cryptography modules.  Independent labs test crypto modules for conformance with the standard and if they pass the testing, the modules may obtain 'certified' status.  The full text of the specification can be found at the NIST WEBSITE.  AbsoluteTelnet uses the Crypto++ cryptography module (cert# 819) which has been validated as FIPS 140-2 compliant.  Information, including source code, for the module can be found at the Crypto++ WEBSITE.  The certificate can be viewed from the NIST site here.

  • What is a 'validated' cryptographic module? 

Validated cryptographic modules are software components (usually dlls or shared libraries) that have been validated to be FIPS 140-2 compliant.  Validation is performed by accredited labs to ensure compliance.  AbsoluteTelnet uses a validated crypto module at the heart of all SSH2 operations (see above).  More information about module validation, it's purpose and applicability can be found here.

  • Why would I need FIPS 140-2 validated software?

FIPS 140-2 validated software is REQUIRED for any government, military, or federal use by both the United States and Canada.  If encryption is in use in these environments, it MUST BE validated encryption.  Unvalidated encryption is considered to be no different than using no encryption at all.

For those of us outside of the military and government, FIPS 140-2 validation just means that we're using good secure software that has been tested and validated by a an accredited third party.  These assurances give users of AbsoluteTelnet/SSH a higher degree of security that unvalidated commercial or  Open Source products can provide.

  • What version of AbsoluteTelnet/SSH include FIPS validated encryption?

All versions of AbsoluteTelnet beginning with version 7 and above include FIPS 140-2 validated cryptography module for SSH2 communications.  All services, including X11 forwarding, port forwarding, and SFTP that use SSH2 encrypted sessions also use the FIPS 140-2 validated encryption.

  • How do I enable FIPS mode in AbsoluteTelnet/SSH?

FIPS mode can be turned on and off using the "FIPS 140-2" mode option under Options->Properties->Connection->SSH2->Encryption.  The use of this mode, however is controlled in part by options you choose at install time.  During the install, you are given a choice of three modes of operation:

  1. Enforced: All SSH2 connections will use FIPS mode.  FIPS mode cannot be disabled.
  2. Recommended:  By default, all new SSH2 connections that are created will use FIPS mode, but you can turn it off if you wish.
  3. Optional:  By default, SSH2 connections will NOT use FIPS mode unless you explicitly turn it on.


  • What restrictions does FIPS mode place on SSH2 operation?

When run in FIPS mode, AbsoluteTelnet uses only crypto algorithms available in the validated Crypto++ module.  This means that the encryption algorithm list is limited to AES and Triple-DES.  Because the SSH protocol allows encryption algorithms to be chosen on the fly and negotiated with the host, you might not even notice a difference between FIPS mode and non-FIPS mode.  If, for some reason, you require one of the other encryption algorithms supported by AbsoluteTelnet/SSH (blowfish, twofish, cast128, RC4), you must disable FIPS mode as these algorithms are not supported by the validated module.

  • Can I use SSH version 1 in FIPS mode?

No.  SSH1 is deprecated for all uses where SSH2 is available as a substitute.  SSH1 is still supplied as a supported protocol for backward compatibility, but uses a different (non validated) encryption library.  Due to the expense involved, it is not reasonable to provide FIPS certification for this module.


Last Updated on Thursday, March 05, 2009 03:57 pm  

Recent Forum Posts

info in Secure Shell by bpence, Nov 20, 2023 09:43 am
info in Secure Shell by bpence, Nov 17, 2023 09:44 am
info in AbsoluteTelnet General by bpence, Nov 14, 2023 06:55 am
info in Configuration issues by taa1, Nov 05, 2023 04:26 pm
info in Configuration issues by bpence, Aug 24, 2023 08:10 am
I have been using AbsoluteTelnet for a little over a month. We use it's SecureShell abilities as a login to our character-based applications on Linux servers. The product has performed exactly as advertised. Although I've had a few issues (i.e., not knowing how to do certain things in AbsoluteTelnet), the support has been excellent and all of the issues I've encountered have been resolved quickly. -- sywyatt