Start of changes for service refresh 8 fix pack 30

FIPS 140-3

The IBMJCEPlusFIPS cryptography module was certified for FIPS 140-3 by NIST in August 2024 and is supported on most platforms (as mentioned in the Operational environments section) for production use in IBM SDK for Java 8.0.8.30 or later.

FIPS certification

The FIPS 140-3 cryptographic security standard from the US government supersedes the previous version, FIPS 140-2 standard. The FIPS 140-3 IBMJCEPlusFIPS cryptographic provider is fully supported for production use. The IBMJCEPlusFIPS and IBMJCEFIPS FIPS 140-2 cryptographic providers should be considered deprecated technology on platforms where FIPS 140-3 has been made available. The FIPS 140-2 cryptographic providers on those platforms will be subject to removal and in future these providers will be removed on all platforms, even if there is no FIPS 140-3 substitute. All products and customers will need to move to the new FIPS 140-3 IBMJCEPlusFIPS provider for their FIPS certified cryptography.

The FIPS 140-2 validation certificates for the IBM SDK are now on the historical list. The historical designation and its implication for federal agencies is shown on the NIST page for each certificate:

Historical - The referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used..

The IBM SDK has multiple certificates because different cryptographic modules are validated for meeting FIPS 140 requirements, depending on the operating system:
Table 1. FIPS 140-2 certificates for the IBM SDK
Operating system FIPS-certified module Validation certificate number Date moved to historical list
Linux® on IBM® zSystems, z/OS® IBMJCEFIPS provider 2837 August 2021
AIX®, Linux on x86 and IBM POWER® hardware, Windows IBMJCEPlusFIPS provider (actually the IBM Crypto for C module, which is used by IBMJCEPlusFIPS) 3064 July 2022
(The IBMJCEPlusFIPS provider superseded the IBMJCEFIPS provider but is not yet supported on z/OS.)

An updated version of the IBM Crypto for C (ICC) module has been validated by NIST and was certified for FIPS 140-3 confirming that it meets the FIPS 140-3 standard. The FIPS 140-3 standard is stricter than FIPS 140-2, so you might need to change your applications or configuration to move to it. Assess the changes before moving to the IBM SDK FIPS 140-3 code.

For more information about the FIPS 140-3 interim validation certificate for ICC issued by the NIST, see https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4755.

Operational environments

You can enable FIPS 140-3 on the following environments only:
  • AIX on 64-bit IBM POWER hardware
  • Linux (Big Endian and Little Endian) on 64-bit IBM POWER hardware
  • Linux on x86-64 hardware
  • Windows on x86-64 hardware

Other operating systems, such as z/OS and Linux on IBM zSystems, might be added to this list in future.

Note: The FIPS 140-3 security policy does not permit the use of the IBMJCEPlusFIPS provider on 32-bit operating systems. This limitation might change in the future.

Changes required to move from the FIPS 140-2 standard to FIPS 140-3

When you enable the IBMJSSE2 provider to run in FIPS mode, it uses the IBMJCEPlusFIPS provider. FIPS 140-3 contains versions of the IBMJSSE2 and IBMJCEPlusFIPS providers that are updated to use FIPS 140-3 certified cryptography. Compared to FIPS 140-2, the FIPS 140-3 standard introduces stricter requirements on entropy generation, removes weak algorithms, adds newer algorithms, and resolves many vulnerabilities.

It is your responsibility to use these providers in accordance with the security policy of the FIPS 140-3 certificate. For example, where your application code uses algorithms for cryptographic purposes, it must use only algorithms that are permitted by the security policy. Because the validation process is ongoing, the security policy document is not yet available. However, the known modifications that are required to move from the FIPS 140-2 standard to FIPS 140-3 are listed in the following sections.
Note: If you are using SP800-131A support, be aware that this support is affected by the changes to the IBMJCEPlusFIPS provider. For more information about SP800-131A support, see SP800-131A Compliance.
IBMJCEPlusFIPS provider changes
  • The SHA-3 algorithm is allowed for hashing and HMAC.
  • The SHA-1 algorithm is not allowed for cryptographic hashing.
  • DH key sizes must be 2048–8192 bits.
  • DSA signatures are allowed only for the verification of signatures.
  • The P-192 EC curve is not allowed for signatures or key creation.
  • EC key sizes must be 224–521 bits.
  • RSA key sizes must be 2048 or longer.
  • The triple DES (3DES or DESede) algorithm is not allowed.

For more information about the algorithms and curves that were allowed for FIPS 140-2, see IBMJCEPlus and IBMJCEPlusFIPS providers.

TLS changes for the IBMJSSE2 provider in FIPS mode
  • The TLS 1.3 protocol is allowed.
  • The TLS 1.0 and 1.1 protocols are not allowed.
  • DSA end-entity certificates are not allowed; you cannot use DSA certificates for client authentication.
  • Existing DSA certificates and keys in a certificate chain must have a key size of 2048 bits or longer.
  • DH_DSS, DHE_DSS, and RSA key exchange cipher algorithms are not allowed.
  • The following EC curves are allowed: P-224, P-256, P-384, P-521.
  • The P-192 EC curve is not allowed.
  • DH key exchange cipher algorithms allow only the following groups: FFDHE2048, FFDHE3072, FFDEH4096, FFDHE6144, FFDHE9192.
  • SHA1-signed certificates are not allowed.
  • SHA1 MAC cipher suite algorithms are not allowed.
TLS requirements that still apply
The following TLS requirements that applied to FIPS 140-2 deployments that used the IBMJSSE2 provider in FIPS mode also apply to FIPS 140-3 deployments:
  • Instances of the SecureRandom class must use the SHA2DRBG algorithm.
  • RSA key sizes must be 2048 bits or longer.
  • The following bulk encryption cipher suites are not allowed: 3DES, DES, RC4, ANON, CHACHA, NULL
  • DH_DES and EXPORT key exchange ciphers are not allowed.
  • DHE_RSA key exchange ciphers with AES bulk encryption are allowed.
  • ECDHE_ECDSA and ECDHE_RSA key exchange cipher suites are allowed if you use only the curves and key sizes that are permitted according to the security policy (for FIPS 140-3, these are the curves and key sizes that are listed in the previous sections; permitted cipher suites are listed in the Frequently asked questions section).
  • The TLS 1.2 protocol is allowed.

Enabling the FIPS 140-3 mode

Note: The FIPS 140-3 mode uses a different java.security file from the existing one that is mentioned in How to Specify a java.security.Security Property. If you need to update a java.security file, ensure that you update the correct one. The file that is used by the FIPS 140-3 mode is install_dir/jre/fips140-3/lib/security/java.security. This file contains the changes that are required to satisfy the expected FIPS 140-3 security policy; if you change this file, be careful not to remove any FIPS 140-3 changes.

To enable the FIPS 140-3 mode, complete the following steps:

  1. If you use your own java.policy file instead of the file that is provided as part of the SDK (install_dir/jre/lib/security/java.policy), add the following permission to it:
    // Grant all permissions to the FIPS directories
    grant codeBase "file:${java.home}/fips${com.ibm.fips.mode}/lib/ext/*" {
        permission java.security.AllPermission;
    };
    
    This permission is already present in the provided java.policy file. If this permission is not present, you might see a java.lang.ExceptionInInitializerError exception and messages similar to the following examples:
    Caused by: java.security.ProviderException: Failed to initialize IBMJCEPlus provider
    Caused by: java.security.ProviderException: Access denied ("java.util.PropertyPermission" "java.home" "read")
  2. Ensure that you are using the IBMJCEPlusFIPS provider (this step was also required for FIPS 140-2 support). The java.security file already specifies this provider but you can also specify providers dynamically in application code. If your application adds providers by using the addProvider or insertProviderAt methods of the Security class, ensure that your code specifies IBMJCEPlusFIPS before any other cryptographic provider.
  3. If you are also using the IBMJSSE2 provider, ensure that the value of the jdk.tls.ephemeralDHKeySize system property is set to 2048. This value is already set as part of the FIPS 140-3 mode. However, you can set a system property in multiple ways, for example as a command-line option. Do not override this value with a lower key size. For more information about this property, see Customizing the size of Ephemeral Diffie-Hellman Keys.
  4. If you are using the IBMJSSE2 provider, enable it to run in FIPS mode (this step was also required for FIPS 140-2 support) by setting the following system properties:
    com.ibm.jsse2.usefipsprovider=true
    com.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
    You can set a system property in multiple ways, as described in How to Specify a java.lang.system Property; if you use the Java command line, combine this step with the last step. For more information about FIPS mode, see Running IBMJSSE2 in FIPS mode but note that that topic applies to the existing FIPS 140-2 support only.
  5. Run your Java application, specifying the -Xenablefips140-3 command-line option to enable the FIPS 140-3 mode. For example:
    java -Xenablefips140-3 MyApp
    Or, if you are using the IBMJSSE2 provider:
    java -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS -Xenablefips140-3 MyApp
Notes:
  • The -Xenablefips140-3 option is available only in the environments that are listed in a previous section. In other environments, this option is not recognized and the JVM fails to start.
  • You can use the com.ibm.fips.mode internal system property to check dynamically if an application is running on a JVM where the FIPS 140-3 mode has been enabled. If com.ibm.fips.mode = 140-3, then it implies that the FIPS 140-3 mode is enabled. This system property might not exist on all operating systems.
  • The FIPS 140-3 mode changes the value of the java.ext.dirs system property to add the path install_dir/jre/fips140-n/lib/ext, where n is the FIPS 140 version (either 3, if you enable FIPS 140-3 mode, or 2). The FIPS 140-3 mode appends this path to the existing property value so if you already modified the value, your changes are preserved. However, if the FIPS 140-3 mode does not work or your existing FIPS 140-2 deployment stops working, and you see a java.lang.ExceptionInInitializerError exception, check that the value of this property contains this path.

Supported algorithms

The following tables show the algorithms that are currently supported when -Xenablefips140-3 is specified as an argument to the JVM.

Table 2. Algorithms supported by the IBMJCEPlus provider
API Supported algorithms
Algorithm parameter AES,Start of changes for service refresh 8 fix pack 15 CCM,End of changes for service refresh 8 fix pack 15 ChaCha20, ChaCha20-Poly1305, DESede, DH, DSA, EC, GCM, OAEP, RSAPSS
Algorithm parameter generator Start of changes for service refresh 8 fix pack 15CCM, End of changes for service refresh 8 fix pack 15DH, DSA, EC, GCM
Cipher algorithms AES, ChaCha20, ChaCha20-Poly1305, DESede, RSA
Cipher modes
AES supports these modes: CBC,Start of changes for service refresh 8 fix pack 15 CCM,End of changes for service refresh 8 fix pack 15 CFB8, CFB128, CFB, CTR, ECB, GCM, OFB
DESede supports these modes: ECB, CBC
RSA supports these modes: null, ECB, SSL
Key agreement algorithms DH, ECDH, XDH, X25519, X448
Key factory DH, DSA, EC, EdDSA, Ed25519, Ed448, RSA, RSAPSS, XDH, X25519, X448
Key generator AES, ChaCha20, DESede, HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 , kda-hkdf-with-sha1, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-shasha384, kda-hkdf-with-sha512
Key pair generator DH, DSA, EC, RSA, XDH, X25519, X448
Message authentication code (MAC) HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
Message digest MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Secret key factory AES, ChaCha20, DESede
Secure random HASHDRBG, SHA256DRBG, SHA512DRBG
Signature algorithms EdDSA, Ed25519, Ed448, NONEwithDSA, NONEwithECDSA, NONEwithRSA, RSAPSS, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA1withECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA3-224withRSA, SHA3-256withRSA, SHA3-384withRSA, SHA3-512withRSA
Table 3. Algorithms supported by the IBMJCEPlusFIPS provider
API Supported algorithms
Algorithm parameter AES,Start of changes for service refresh 8 fix pack 15 CCM,End of changes for service refresh 8 fix pack 15 DH, DSA, EC, GCM, OAEP, RSAPSS
Algorithm parameter generator Start of changes for service refresh 8 fix pack 15CCM, End of changes for service refresh 8 fix pack 15DH, DSA, EC, GCM
Cipher algorithms AES, RSA
Cipher modes
AES supports these modes: CBC,Start of changes for service refresh 8 fix pack 15 CCM,End of changes for service refresh 8 fix pack 15 CFB8, CFB128, CFB, CTR, ECB, GCM, OFB
RSA supports these modes: null, ECB, SSL
Key agreement algorithms DH, ECDH
Key factory DH, DSA, EC, RSA, RSAPSS
Key generator AES, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512
Key pair generator DH, EC, RSA
Message authentication code (MAC) HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
Message digest SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Secret key factory AES
Secure random HASHDRBG, SHA256DRBG, SHA512DRBG
Signature algorithms

NONEwithDSA, SHA224withDSA, SHA256withDSA, NONEwithECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, NONEwithRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, RSAPSS

Known limitations

The known limitations are as follows.

  • RSAPSS signature does not support RSA plain keys.
  • RSAPSS supports SHA-1(for non-fips providers only), SHA-224, SHA-256, SHA-384, and SHA-512 as input digest algorithms.
  • Start of changes for service refresh 8 fix pack 15CCM mode for the AES cipher does not support Cipher.update(). Only Cipher.doFinal() is supported.End of changes for service refresh 8 fix pack 15

Frequently asked questions

SHA1 is not allowed in FIPS 140-3. Can SHA1 still be used to hash two files to determine whether they are the same?
Yes. SHA1 is no longer considered secure for cryptographic operations. However, you can still use SHA1 for noncryptographic operations. For example, you can use the SHA1 algorithm (from the IBMJCE provider) to compare two documents or objects to see whether they are identical (same hashes), but you can't use it for hashing those documents for digital signature.
What do you mean by key exchange, bulk encryption or MAC cipher suites?
A TLS cipher suite is the set of algorithms that are used to secure network connections. In the TLS 1.2 protocol, the set of algorithms that cipher suites usually contain includes: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. In the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, for example, ECDHE_RSA is the key exchange algorithm, AES_128_GCM is the bulk encryption algorithm, and SHA256 is the MAC algorithm to be used. In the TLS 1.3 protocol, the key exchange algorithm is omitted. For example, in the cipher suite TLS_AES_128_GCM_SHA256, AES_128_GCM is the bulk encryption algorithm, and SHA256 is the MAC algorithm to be used.
What TLS protocols are allowed in the FIPS 140-3 standard?
TLS 1.3 and TLS 1.2
What TLS cipher suites are allowed in the FIPS 140-3 standard?
The following suites are allowed for the TLS 1.3 protocol:
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
The following suites are allowed for the TLS 1.2 protocol:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
End of changes for service refresh 8 fix pack 30