Cryptographic standards and FIPS 140

The National Institute of Standards and Technologies (NIST) publishes Federal Information Processing Standards publication 140 (FIPS 140). This publication specifies security requirements for cryptographic modules for both hardware and software components of computer systems. FIPS 140 places some restrictions on the use of cryptographic algorithms and modules. Some examples of the restrictions are:
  • Cryptographic algorithms and keys must be contained within a cryptographic module and accessed through a well defined cryptographic boundary.
  • Use of weaker cryptographic algorithms (for example, DES and MD5) is not allowed.
  • Use of weaker asymmetric key lengths (for example, RSA digital signature operations using key lengths less than 1024 bits) is not allowed.
  • Use of Diffie-Hellman groups with weaker key lengths (key lengths less than 2048 bits) is not allowed. This restriction applies to groups 1, 2, and 5.

See the National Institute of Standards and Technology (NIST) website at for the most recent FIPS 140 publication, and other related publications.

On z/OS® systems, Integrated Cryptographic Services Facility (ICSF) and System SSL provide cryptographic services. z/OS Communications Server uses ICSF and System SSL in addition to its own cryptographic algorithms in some of its networking security functions, such as AT-TLS and IP security. You can configure ICSF, System SSL, and the z/OS Communications Server networking security functions in FIPS 140 mode, in which case they enforce FIPS 140 restrictions. Enabling FIPS 140 mode might require additional setup and configuration, and it might result in a reduction in performance.