FIPS 140-3 evaluation technology

The FIPS 140-2 cryptographic security standard from the US government is superseded by a later version, FIPS 140-3. FIPS 140-3 validation is ongoing for one of the security components in the IBM SDK. In the meantime, this unsupported technology preview is available for users who have existing FIPS 140-2 deployments to assess the changes that are required to those deployments to move to the FIPS 140-3 standard.

The technology preview is for evaluation purposes only and is provided subject to the following disclaimer:

Disclaimer: The code and application programming interfaces herein are technology preview information that might not be made generally available by IBM as or in a product. You are permitted to use the information only for internal use for evaluation purposes and not for use in a production environment. IBM provides the information without obligation of support and "as is" without warranty of any kind.

The existing support for the FIPS 140-2 standard is unchanged as of now.

Note:

Start of changes for service refresh 8 fix pack 20

The IBMJCEPlusFIPS and IBMJCEFIPS FIPS 140-2 cryptographic providers should be considered deprecated technology on platforms where FIPS 140-3 will be made available. Once the FIPS 140-3 IBMJCEPlusFIPS cryptographic provider is fully supported for production use, the FIPS 140-2 cryptographic providers on those platforms will be subject to removal in the future. All products and customers will need to move to the new FIPS 140-3 IBMJCEPlusFIPS provider for their FIPS certified cryptography. End of changes for service refresh 8 fix pack 20

End of changes for service refresh 8 fix pack 20

FIPS certification

The FIPS 140-2 validation certificates for the IBM SDK are now on the historical list. The historical designation and its implication for federal agencies is shown on the NIST page for each certificate:

Historical - The referenced cryptographic module should not be included by Federal Agencies in new procurements. Agencies may make a risk determination on whether to continue using this module based on their own assessment of where and how it is used..

The IBM SDK has multiple certificates because different cryptographic modules are validated for meeting FIPS 140 requirements, depending on the operating system:

Table 1. FIPS 140-2 certificates for the IBM SDK
Operating system	FIPS-certified module	Validation certificate number	Date moved to historical list
Linux® on IBM® zSystems, z/OS®	IBMJCEFIPS provider	2837	August 2021
AIX®, Linux on x86 and IBM POWER® hardware, Windows	IBMJCEPlusFIPS provider (actually the IBM Crypto for C module, which is used by IBMJCEPlusFIPS)	3064	July 2022

(The IBMJCEPlusFIPS provider superseded the IBMJCEFIPS provider but is not yet supported on z/OS.)

An updated version of the IBM Crypto for C module is being validated for meeting FIPS 140-3 requirements. The FIPS 140-3 standard is stricter than FIPS 140-2, so you might need to change your applications or configuration to move to it. Use this technology preview to assess these changes before the IBM SDK FIPS 140-3 code is released for use in production environments.

Operational environments

You can enable the technology preview on the following environments only:

AIX on 64-bit IBM POWER hardware
Linux (Big Endian and Little Endian) on 64-bit IBM POWER hardware
Linux on x86-64 hardware
Windows on x86-64 hardware

Other operating systems, such as z/OS and Linux on IBM zSystems, might be added to this list in future.

Note: The FIPS 140-3 security policy does not permit the use of the IBMJCEPlusFIPS provider on 32-bit operating systems. This limitation might change in the future.

Changes required to move from the FIPS 140-2 standard to FIPS 140-3

When you enable the IBMJSSE2 provider to run in FIPS mode, it uses the IBMJCEPlusFIPS provider. This technology preview contains versions of the IBMJSSE2 and IBMJCEPlusFIPS providers that are updated to use FIPS 140-3 certified cryptography. Compared to FIPS 140-2, the FIPS 140-3 standard introduces stricter requirements on entropy generation, removes weak algorithms, adds newer algorithms, and resolves many vulnerabilities.

It is your responsibility to use these providers in accordance with the security policy of the FIPS 140-3 certificate. For example, where your application code uses algorithms for cryptographic purposes, it must use only algorithms that are permitted by the security policy. Because the validation process is ongoing, the security policy document is not yet available. However, the known modifications that are required to move from the FIPS 140-2 standard to FIPS 140-3 are listed in the following sections.

Notes:

Because the FIPS 140-3 certification is ongoing, this list is not exhaustive and is subject to change.
If you are using SP800-131A support, be aware that this support is affected by the changes to the IBMJCEPlusFIPS provider. For more information about SP800-131A support, see SP800-131A Compliance.

IBMJCEPlusFIPS provider changes

The SHA-3 algorithm is allowed for hashing and HMAC.
The SHA-1 algorithm is not allowed for cryptographic hashing.
DH key sizes must be 2048–8192 bits.
DSA signatures are allowed only for the verification of signatures.
The P-192 EC curve is not allowed for signatures or key creation.
EC key sizes must be 224–521 bits.
RSA key sizes must be 2048 or longer.
The triple DES (3DES or DESede) algorithm is not allowed.

For more information about the algorithms and curves that were allowed for FIPS 140-2, see IBMJCEPlus and IBMJCEPlusFIPS providers.

TLS changes for the IBMJSSE2 provider in FIPS mode

The TLS 1.3 protocol is allowed.
The TLS 1.0 and 1.1 protocols are not allowed.
DSA end-entity certificates are not allowed; you cannot use DSA certificates for client authentication.
Existing DSA certificates and keys in a certificate chain must have a key size of 2048 bits or longer.
DH_DSS and DHE_DSS key exchange cipher algorithms are not allowed.
The following EC curves are allowed: P-224, P-256, P-384, P-521.
The P-192 EC curve is not allowed.
DH key exchange cipher algorithms allow only the following groups: FFDHE2048, FFDHE3072, FFDEH4096, FFDHE6144, FFDHE9192.
SHA1-signed certificates are not allowed.
SHA1 MAC cipher suite algorithms are not allowed.

TLS requirements that still apply

The following TLS requirements that applied to FIPS 140-2 deployments that used the IBMJSSE2 provider in FIPS mode also apply to FIPS 140-3 deployments:

Instances of the SecureRandom class must use the SHA2DRBG algorithm.
RSA key sizes must be 2048 bits or longer.
The following bulk encryption cipher suites are not allowed: 3DES, DES, RC4, ANON, CHACHA, NULL
DH_DES and EXPORT key exchange ciphers are not allowed.
DHE_RSA and RSA key exchange ciphers with AES bulk encryption are allowed.
ECDHE_ECDSA and ECDHE_RSA key exchange cipher suites are allowed if you use only the curves and key sizes that are permitted according to the security policy (for FIPS 140-3, these are the curves and key sizes that are listed in the previous sections; permitted cipher suites are listed in the Frequently asked questions section).
The TLS 1.2 protocol is allowed.

Enabling the FIPS 140-3 technology preview

The FIPS 140-3 technology preview is disabled by default. Enable the technology preview for evaluation purposes only; do not use it in a production environment.

Note: This technology preview uses a different java.security file from the existing one that is mentioned in How to Specify a java.security.Security Property. If you need to update a java.security file, ensure that you update the correct one. The file that is used by the technology preview is install_dir/jre/fips140-3/lib/security/java.security. This file contains the changes that are required to satisfy the expected FIPS 140-3 security policy; if you change this file, be careful not to remove any FIPS 140-3 changes.

To enable the FIPS 140-3 technology preview, complete the following steps:

If you use your own java.policy file instead of the file that is provided as part of the SDK (install_dir/jre/lib/security/java.policy), add the following permission to it:
```
// Grant all permissions to the FIPS directories
grant codeBase "file:${java.home}/fips${com.ibm.fips.mode}/lib/ext/*" {
    permission java.security.AllPermission;
};
```
This permission is already present in the provided java.policy file. If this permission is not present, you might see a java.lang.ExceptionInInitializerError exception and messages similar to the following examples:
```
Caused by: java.security.ProviderException: Failed to initialize IBMJCEPlus provider
```
```
Caused by: java.security.ProviderException: Access denied ("java.util.PropertyPermission" "java.home" "read")
```
Ensure that you are using the IBMJCEPlusFIPS provider (this step was also required for FIPS 140-2 support). The java.security file that is provided as part of the technology preview already specifies this provider but you can also specify providers dynamically in application code. If your application adds providers by using the addProvider or insertProviderAt methods of the Security class, ensure that your code specifies IBMJCEPlusFIPS before any other cryptographic provider.
If you are also using the IBMJSSE2 provider, ensure that the value of the jdk.tls.ephemeralDHKeySize system property is set to 2048. This value is already set as part of the technology preview. However, you can set a system property in multiple ways, for example as a command-line option. Do not override this value with a lower key size. For more information about this property, see Customizing the size of Ephemeral Diffie-Hellman Keys.
If you are using the IBMJSSE2 provider, enable it to run in FIPS mode (this step was also required for FIPS 140-2 support) by setting the following system properties:
```
com.ibm.jsse2.usefipsprovider=true
com.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS
```
You can set a system property in multiple ways, as described in How to Specify a java.lang.system Property; if you use the Java command line, combine this step with the last step. For more information about FIPS mode, see Running IBMJSSE2 in FIPS mode but note that that topic applies to the existing FIPS 140-2 support only.
Run your Java application, specifying the -Xenablefips140-3 command-line option to enable the technology preview. For example:
```
java -Xenablefips140-3 MyApp
```
Or, if you are using the IBMJSSE2 provider:
```
java -Dcom.ibm.jsse2.usefipsprovider=true -Dcom.ibm.jsse2.usefipsProviderName=IBMJCEPlusFIPS -Xenablefips140-3 MyApp
```

Notes:

The -Xenablefips140-3 option is available only in the environments that are listed in a previous section. In other environments, this option is not recognized and the JVM fails to start.
You can use the com.ibm.fips.mode internal system property to check dynamically if an application is running on a JVM where the FIPS 140-3 technology preview has been enabled. If com.ibm.fips.mode = 140-3, then it implies that the FIPS 140-3 technology preview is enabled. This system property might not exist on all operating systems.
The technology preview changes the value of the java.ext.dirs system property to add the path install_dir/jre/fips140-n/lib/ext, where n is the FIPS 140 version (either 3, if you enable the technology preview, or 2). The technology preview appends this path to the existing property value so if you already modified the value, your changes are preserved. However, if the technology preview does not work or your existing FIPS 140-2 deployment stops working, and you see a java.lang.ExceptionInInitializerError exception, check that the value of this property contains this path.

Supported algorithms

The following tables show the algorithms that are currently supported when -Xenablefips140-3 is specified as an argument to the JVM.

Note: As the FIPS 140-3 certification is ongoing, this list is not exhaustive and is subject to change.

Table 2. Algorithms supported by the IBMJCEPlus provider
API	Supported algorithms
Algorithm parameter	AES, CCM, ChaCha20, ChaCha20-Poly1305, DESede, DH, DSA, EC, GCM, OAEP, RSAPSS
Algorithm parameter generator	CCM, DH, DSA, EC, GCM
Cipher algorithms	AES, ChaCha20, ChaCha20-Poly1305, DESede, RSA
Cipher modes	AES supports these modes: CBC, CCM, CFB8, CFB128, CFB, CTR, ECB, GCM, OFB DESede supports these modes: ECB, CBC RSA supports these modes: null, ECB, SSL
Key agreement algorithms	DH, ECDH, XDH, X25519, X448
Key factory	DH, DSA, EC, EdDSA, Ed25519, Ed448, RSA, RSAPSS, XDH, X25519, X448
Key generator	AES, ChaCha20, DESede, HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512 , kda-hkdf-with-sha1, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-shasha384, kda-hkdf-with-sha512
Key pair generator	DH, DSA, EC, RSA, XDH, X25519, X448
Message authentication code (MAC)	HmacMD5, HmacSHA1, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
Message digest	MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Secret key factory	AES, ChaCha20, DESede
Secure random	HASHDRBG, SHA256DRBG, SHA512DRBG
Signature algorithms	EdDSA, Ed25519, Ed448, NONEwithDSA, NONEwithECDSA, NONEwithRSA, RSAPSS, SHA1withDSA, SHA224withDSA, SHA256withDSA, SHA1withECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA3-224withDSA, SHA3-256withDSA, SHA3-384withDSA, SHA3-512withDSA, SHA3-224withECDSA, SHA3-256withECDSA, SHA3-384withECDSA, SHA3-512withECDSA, SHA3-224withRSA, SHA3-256withRSA, SHA3-384withRSA, SHA3-512withRSA

Table 3. Algorithms supported by the IBMJCEPlusFIPS provider
API	Supported algorithms
Algorithm parameter	AES, CCM, DH, DSA, EC, GCM, OAEP, RSAPSS
Algorithm parameter generator	CCM, DH, DSA, EC, GCM
Cipher algorithms	AES, RSA
Cipher modes	AES supports these modes: CBC, CCM, CFB8, CFB128, CFB, CTR, ECB, GCM, OFB RSA supports these modes: null, ECB, SSL
Key agreement algorithms	DH, ECDH
Key factory	DH, DSA, EC, RSA, RSAPSS
Key generator	AES, HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512, kda-hkdf-with-sha224, kda-hkdf-with-sha256, kda-hkdf-with-sha384, kda-hkdf-with-sha512
Key pair generator	DH, EC, RSA
Message authentication code (MAC)	HmacSHA224, HmacSHA256, HmacSHA384, HmacSHA512, HmacSHA3-224, HmacSHA3-256, HmacSHA3-384, HmacSHA3-512
Message digest	SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512
Secret key factory	AES
Secure random	HASHDRBG, SHA256DRBG, SHA512DRBG
Signature algorithms	NONEwithDSA, SHA224withDSA, SHA256withDSA, NONEwithECDSA, SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, NONEwithRSA, SHA224withRSA, SHA256withRSA, SHA384withRSA, SHA512withRSA, RSAPSS

Known limitations

The known limitations are as follows.

RSAPSS signature does not support RSA plain keys.
RSAPSS supports SHA-1(for non-fips providers only), SHA-224, SHA-256, SHA-384, and SHA-512 as input digest algorithms.
CCM mode for the AES cipher does not support Cipher.update(). Only Cipher.doFinal() is supported.
When JSSE is enabled to run in FIPS 140-3 mode, RSA key exchange cipher suites are disabled because of the Timing Oracle in RSA Decryption CVE-2023--33850 issue. The FIPS 140-3 IBMJCEPlusFIPS provider is undergoing FIPS certification, and due to FIPS certification rules, the fix for CVE-2023--33850 issue is not yet included in that provider. As the fix could not be provided, RSA encryption and decryption support has been removed from the IBMJCEPlusFIPS provider for FIPS 140-3. The RSA encryption and decryption support is available in the IBMJCEPlus provider and can be used instead.
FIPS 140-3 does not allow the RSA key exchange, therefore, when JSSE is enabled to run in FIPS 140-3, TLS is not vulnerable to this CVE-2023--33850 issue.

Frequently asked questions

SHA1 is not allowed in FIPS 140-3. Can SHA1 still be used to hash two files to determine whether they are the same?

Yes. SHA1 is no longer considered secure for cryptographic operations. However, you can still use SHA1 for noncryptographic operations. For example, you can use the SHA1 algorithm (from the IBMJCE provider) to compare two documents or objects to see whether they are identical (same hashes), but you can't use it for hashing those documents for digital signature.

What do you mean by key exchange, bulk encryption or MAC cipher suites?

A TLS cipher suite is the set of algorithms that are used to secure network connections. In the TLS 1.2 protocol, the set of algorithms that cipher suites usually contain includes: a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. In the cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, for example, ECDHE_RSA is the key exchange algorithm, AES_128_GCM is the bulk encryption algorithm, and SHA256 is the MAC algorithm to be used. In the TLS 1.3 protocol, the key exchange algorithm is omitted. For example, in the cipher suite TLS_AES_128_GCM_SHA256, AES_128_GCM is the bulk encryption algorithm, and SHA256 is the MAC algorithm to be used.

What TLS protocols are allowed in the FIPS 140-3 standard?

TLS 1.3 and TLS 1.2

What TLS cipher suites are allowed in the FIPS 140-3 standard?

The following suites are allowed for the TLS 1.3 protocol:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384

The following suites are allowed for the TLS 1.2 protocol:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256