Cryptographic standards and FIPS 140
- Cryptographic algorithms and keys must be contained within a cryptographic module and accessed through a well defined cryptographic boundary.
- Use of weaker cryptographic algorithms (for example, DES and MD5) is not allowed.
- Use of weaker asymmetric key lengths (for example, RSA digital signature operations using key lengths less than 1024 bits) is not allowed.
- Use of Diffie-Hellman groups with weaker key lengths (key lengths less than 2048 bits) is not allowed. This restriction applies to groups 1, 2, and 5.
See the National Institute of Standards and Technology (NIST) website at http://csrc.nist.gov/publications/PubsFIPS.html for the most recent FIPS 140 publication, and other related publications.
On z/OS® systems, Integrated Cryptographic Services Facility (ICSF) and System SSL provide cryptographic services. z/OS Communications Server uses ICSF and System SSL in addition to its own cryptographic algorithms in some of its networking security functions, such as AT-TLS and IP security. You can configure ICSF, System SSL, and the z/OS Communications Server networking security functions in FIPS 140 mode, in which case they enforce FIPS 140 restrictions. Enabling FIPS 140 mode might require additional setup and configuration, and it might result in a reduction in performance.
- FIPS 140 mode and IP security
- Application Transparent Transport Layer Security data protection
- z/OS Cryptographic Services System SSL Programming
- z/OS Cryptographic Services ICSF Overview
- z/OS Cryptographic Services ICSF Administrator's Guide
- Operating in compliance with FIPS 140-2 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications