FIPS 140-2 Algorithms

The Federal Information Processing Standards (FIPS) 140-2 publication specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data. stmndr embeds RSA 's Crypto-C ME v2.0 cryptographic library, which has been validated as meeting the FIPS 140-2 Security Requirements for Cryptographic Modules. The validation certificate number for this module is 608.
sm1252sp1
The Federal Information Processing Standards (FIPS) 140-2 publication specifies the requirements for using cryptographic algorithms within a security system protecting sensitive, unclassified data.
CA Single Sign-On
embeds RSA 's Crypto-C ME v2.0 cryptographic library, which has been validated as meeting the FIPS 140-2
Security Requirements for Cryptographic Modules.
The validation certificate number for this module is 608.
CA Single Sign-On
's Java-based APIs use a FIPS-compliant version of the Crypto-J cryptographic library.
CA Single Sign-On
can operate in a pre-FIPS mode or in a FIPS-only mode. The cryptographic boundaries, that is, the way
CA Single Sign-On
applies encryption, are the same in both modes, but the algorithms are different.
In FIPS-only mode,
CA Single Sign-On
uses the following algorithms:
  • AES Key Wrap for key encryption.
  • AES in OFB mode (HMAC-SHA 256) for channel encryption.
  • AES in CBC mode (HMAC-SHA 224) for encrypting tokens used to facilitate single sign-on.
The
CA Single Sign-On
core components make extensive use of encrypted data:
  • The Web Agent encrypts:
    • Cookies using an Agent Key retrieved from the Policy Server
    • Data sent to the Policy Server using a Session Key
    • A Shared Secret using the Host Key. The encrypted Shared Secret is stored in the Host Configuration file.
  • The Policy Server encrypts:
    • Data sent to the Web Agent using a Session Key
    • The Policy Store Key using the Host Key
    • Sensitive data in the Policy Store using the Policy Store Key
    • Session Spec using the Session Ticket Key
    • Data sent to the Administrative UI using a Session Key
    • Password Services data in a user directory using the Session Ticket Key
The Policy Store Key is used to encrypt sensitive data stored in the Policy Store. It is derived from a seed string entered during the installation of the Policy Store. The Policy Store Key is also encrypted, using the Host Key, and stored in a system-local file. To support unattended operation, the Host Key is a fixed key embedded in the Policy Store code. Agents use this same Host Key mechanism to encrypt and store their copies of their Shared Secrets.
The Session Ticket Key (used by the Policy Server to form authentication tokens) and Agent Keys (primarily used by Web Agents to encrypt cookie data) are encryption keys stored in the Policy Store (or Key Store, depending on
CA Single Sign-On
configuration settings) in encrypted form. They are encrypted using the Policy/Key Store Key. The Key Store Key is encrypted in the Policy Store. Agent Shared Secrets (used for Agent authentication and in the TLI Handshake), along with other sensitive data, are also encrypted with the Policy Store Key and stored in the Policy Store.