
FIPS 140-3
The IBMJCEPlusFIPS cryptography module was certified for FIPS 140-3 by NIST in August 2024 and is supported on most platforms (as mentioned in the Operational environments section) for production use in IBM SDK for Java 8.0.8.30 or later.
FIPS certification
The FIPS 140-3 cryptographic security standard from the US government supersedes the previous version, FIPS 140-2 standard. The FIPS 140-3 IBMJCEPlusFIPS cryptographic provider is fully supported for production use. The IBMJCEPlusFIPS and IBMJCEFIPS FIPS 140-2 cryptographic providers should be considered deprecated technology on platforms where FIPS 140-3 has been made available. The FIPS 140-2 cryptographic providers on those platforms will be subject to removal and in future these providers will be removed on all platforms, even if there is no FIPS 140-3 substitute. All products and customers will need to move to the new FIPS 140-3 IBMJCEPlusFIPS provider for their FIPS certified cryptography.
The FIPS 140-2 validation certificates for the IBM SDK are now on the historical list. The historical designation and its implication for federal agencies is shown on the NIST page for each certificate:
Historical - The referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used..
Operating system | FIPS-certified module | Validation certificate number | Date moved to historical list |
---|---|---|---|
Linux® on IBM® zSystems, z/OS® | IBMJCEFIPS provider | 2837 | August 2021 |
AIX®, Linux on x86 and IBM POWER® hardware, Windows | IBMJCEPlusFIPS provider (actually the IBM Crypto for C module, which is used by IBMJCEPlusFIPS) | 3064 | July 2022 |
An updated version of the IBM Crypto for C (ICC) module has been validated by NIST and was certified for FIPS 140-3 confirming that it meets the FIPS 140-3 standard. The FIPS 140-3 standard is stricter than FIPS 140-2, so you might need to change your applications or configuration to move to it. Assess the changes before moving to the IBM SDK FIPS 140-3 code.
For more information about the FIPS 140-3 interim validation certificate for ICC issued by the NIST, see https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.
Operational environments
- AIX on 64-bit IBM POWER hardware
- Linux (Big Endian and Little Endian) on 64-bit IBM POWER hardware
- Linux on x86-64 hardware
- Windows on x86-64 hardware
Other operating systems, such as z/OS and Linux on IBM zSystems, might be added to this list in future.
Changes required to move from the FIPS 140-2 standard to FIPS 140-3
When you enable the IBMJSSE2 provider to run in FIPS mode, it uses the IBMJCEPlusFIPS provider. FIPS 140-3 contains versions of the IBMJSSE2 and IBMJCEPlusFIPS providers that are updated to use FIPS 140-3 certified cryptography. Compared to FIPS 140-2, the FIPS 140-3 standard introduces stricter requirements on entropy generation, removes weak algorithms, adds newer algorithms, and resolves many vulnerabilities.
- IBMJCEPlusFIPS provider changes
-
- The SHA-3 algorithm is allowed for hashing and HMAC.
- The SHA-1 algorithm is not allowed for cryptographic hashing.
- DH key sizes must be 2048–8192 bits.
- DSA signatures are allowed only for the verification of signatures.
- The P-192 EC curve is not allowed for signatures or key creation.
- EC key sizes must be 224–521 bits.
- RSA key sizes must be 2048 or longer.
- The triple DES (3DES or DESede) algorithm is not allowed.
For more information about the algorithms and curves that were allowed for FIPS 140-2, see IBMJCEPlus and IBMJCEPlusFIPS providers.
- TLS changes for the IBMJSSE2 provider in FIPS mode
-
- The TLS 1.3 protocol is allowed.
- The TLS 1.0 and 1.1 protocols are not allowed.
- DSA end-entity certificates are not allowed; you cannot use DSA certificates for client authentication.
- Existing DSA certificates and keys in a certificate chain must have a key size of 2048 bits or longer.
- DH_DSS, DHE_DSS, and RSA key exchange cipher algorithms are not allowed.
- The following EC curves are allowed: P-224, P-256, P-384, P-521.
- The P-192 EC curve is not allowed.
- DH key exchange cipher algorithms allow only the following groups: FFDHE2048, FFDHE3072, FFDEH4096, FFDHE6144, FFDHE9192.
- SHA1-signed certificates are not allowed.
- SHA1 MAC cipher suite algorithms are not allowed.
- TLS requirements that still apply
-
The following TLS requirements that applied to FIPS 140-2 deployments that used the IBMJSSE2 provider in FIPS mode also apply to FIPS 140-3 deployments:
- Instances of the SecureRandom class must use the SHA2DRBG algorithm.
- RSA key sizes must be 2048 bits or longer.
- The following bulk encryption cipher suites are not allowed: 3DES, DES, RC4, ANON, CHACHA, NULL
- DH_DES and EXPORT key exchange ciphers are not allowed.
- DHE_RSA key exchange ciphers with AES bulk encryption are allowed.
- ECDHE_ECDSA and ECDHE_RSA key exchange cipher suites are allowed if you use only the curves and key sizes that are permitted according to the security policy (for FIPS 140-3, these are the curves and key sizes that are listed in the previous sections; permitted cipher suites are listed in the Frequently asked questions section).
- The TLS 1.2 protocol is allowed.
Enabling the FIPS 140-3 mode
To enable the FIPS 140-3 mode, complete the following steps:
- If you use your own java.policy file instead of the file that is provided
as part of the SDK (install_dir/jre/lib/security/java.policy),
add the following permission to it:
This permission is already present in the provided java.policy file. If this permission is not present, you might see a// Grant all permissions to the FIPS directories grant codeBase "file:${java.home}/fips${com.ibm.fips.mode}/lib/ext/*" { permission java.security.AllPermission; };
java.lang.ExceptionInInitializerError
exception and messages similar to the following examples:Caused by: java.security.ProviderException: Failed to initialize IBMJCEPlus provider
Caused by: java.security.ProviderException: Access denied ("java.util.PropertyPermission" "java.home" "read")
- Ensure that you are using the IBMJCEPlusFIPS provider (this step was also required for FIPS
140-2 support). The java.security file already specifies this provider but you
can also specify providers dynamically in application code. If your application adds providers by
using the
addProvider
orinsertProviderAt
methods of theSecurity
class, ensure that your code specifiesIBMJCEPlusFIPS
before any other cryptographic provider. - If you are also using the IBMJSSE2 provider, ensure that the value of the
jdk.tls.ephemeralDHKeySize
system property is set to2048
. This value is already set as part of the FIPS 140-3 mode. However, you can set a system property in multiple ways, for example as a command-line option. Do not override this value with a lower key size. For more information about this property, see Customizing the size of Ephemeral Diffie-Hellman Keys. - If you are using the IBMJSSE2 provider, enable it to run in FIPS mode (this step was also
required for FIPS 140-2 support) by setting the following system
properties:
You can set a system property in multiple ways, as described in How to Specify a java.lang.system Property; if you use the Java command line, combine this step with the last step. For more information about FIPS mode, see Running IBMJSSE2 in FIPS mode but note that that topic applies to the existing FIPS 140-2 support only.com.ibm.jsse2.usefipsprovider=true com.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
- Run your Java application, specifying the
-Xenablefips140-3 command-line option to enable the FIPS 140-3 mode. For
example:
Or, if you are using the IBMJSSE2 provider:java -Xenablefips140-3 MyApp
java -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS -Xenablefips140-3 MyApp
- The -Xenablefips140-3 option is available only in the environments that are listed in a previous section. In other environments, this option is not recognized and the JVM fails to start.
- You can use the
com.ibm.fips.mode
internal system property to check dynamically if an application is running on a JVM where the FIPS 140-3 mode has been enabled. Ifcom.ibm.fips.mode = 140-3
, then it implies that the FIPS 140-3 mode is enabled. This system property might not exist on all operating systems. - The FIPS 140-3 mode changes the value of the
java.ext.dirs
system property to add the path install_dir/jre/fips140-n/lib/ext, where n is the FIPS 140 version (either 3, if you enable FIPS 140-3 mode, or 2). The FIPS 140-3 mode appends this path to the existing property value so if you already modified the value, your changes are preserved. However, if the FIPS 140-3 mode does not work or your existing FIPS 140-2 deployment stops working, and you see ajava.lang.ExceptionInInitializerError
exception, check that the value of this property contains this path.
Supported algorithms
The following tables show the algorithms that are currently supported when
-Xenablefips140-3
is specified as an argument to the JVM.
API | Supported algorithms |
---|---|
Algorithm parameter | AES,![]() ![]() |
Algorithm parameter generator | ![]() ![]() |
Cipher algorithms | AES, ChaCha20, ChaCha20-Poly1305, DESede, RSA |
Cipher modes |
AES supports these modes: CBC,
![]() ![]() DESede supports these modes: ECB, CBC RSA supports these modes: null, ECB, SSL |
Key agreement algorithms | DH, ECDH, XDH, X25519, X448 |
Key factory | DH, DSA, EC, EdDSA, Ed25519, Ed448, RSA, RSAPSS, XDH, X25519, X448 |
Key generator | AES, ChaCha20, DESede, HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 , kda-hkdf-with-sha1, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-shasha384, kda-hkdf-with-sha512 |
Key pair generator | DH, DSA, EC, RSA, XDH, X25519, X448 |
Message authentication code (MAC) | HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 |
Message digest | MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
Secret key factory | AES, ChaCha20, DESede |
Secure random | HASHDRBG, SHA256DRBG, SHA512DRBG |
Signature algorithms | EdDSA, Ed25519, Ed448, NONEwithDSA, NONEwithECDSA, NONEwithRSA, RSAPSS, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA1withECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA3-224withRSA, SHA3-256withRSA, SHA3-384withRSA, SHA3-512withRSA |
API | Supported algorithms |
---|---|
Algorithm parameter | AES,![]() ![]() |
Algorithm parameter generator | ![]() ![]() |
Cipher algorithms | AES, RSA |
Cipher modes |
AES supports these modes: CBC,
![]() ![]() RSA supports these modes: null, ECB, SSL |
Key agreement algorithms | DH, ECDH |
Key factory | DH, DSA, EC, RSA, RSAPSS |
Key generator | AES, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512 |
Key pair generator | DH, EC, RSA |
Message authentication code (MAC) | HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 |
Message digest | SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512 |
Secret key factory | AES |
Secure random | HASHDRBG, SHA256DRBG, SHA512DRBG |
Signature algorithms |
NONEwithDSA, SHA224withDSA, SHA256withDSA, NONEwithECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, NONEwithRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, RSAPSS |
Known limitations
The known limitations are as follows.
- RSAPSS signature does not support RSA plain keys.
- RSAPSS supports SHA-1(for non-fips providers only), SHA-224, SHA-256, SHA-384, and SHA-512 as input digest algorithms.
CCM mode for the AES cipher does not support Cipher.update(). Only Cipher.doFinal() is supported.
Frequently asked questions
- SHA1 is not allowed in FIPS 140-3. Can SHA1 still be used to hash two files to determine whether they are the same?
- Yes. SHA1 is no longer considered secure for cryptographic operations. However, you can still use SHA1 for noncryptographic operations. For example, you can use the SHA1 algorithm (from the IBMJCE provider) to compare two documents or objects to see whether they are identical (same hashes), but you can't use it for hashing those documents for digital signature.
- What do you mean by key exchange, bulk encryption or MAC cipher suites?
- A TLS cipher suite is the set of algorithms that are used to secure network connections. In the
TLS 1.2 protocol, the set of algorithms that cipher suites usually contain includes: a key exchange
algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. In the
cipher suite
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
, for example,ECDHE_RSA
is the key exchange algorithm,AES_128_GCM
is the bulk encryption algorithm, andSHA256
is the MAC algorithm to be used. In the TLS 1.3 protocol, the key exchange algorithm is omitted. For example, in the cipher suiteTLS_AES_128_GCM_SHA256
,AES_128_GCM
is the bulk encryption algorithm, andSHA256
is the MAC algorithm to be used. - What TLS protocols are allowed in the FIPS 140-3 standard?
- TLS 1.3 and TLS 1.2
- What TLS cipher suites are allowed in the FIPS 140-3 standard?
- The following suites are allowed for the TLS 1.3 protocol:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
