Federal Information Processing Standards (FIPS) Mode

Federal Information Processing Standards (FIPS) is a collection of standards defined by the United States Federal Government for document process, encryption algorithms, personal identification and verification, as well as many other areas. These standards are used within the United States federal government (civilian agencies, Department of Defense, and intelligence agencies).

FIPS, in the context of ExtremeXOS, refers to the specific standard 140-2, System Requirements for Cryptographic Modules. The publication series was issued to coordinate the requirements and standards for cryptographic modules that include both hardware and software components. Protection of a cryptographic module within a security system is necessary to maintain the confidentiality and integrity of the information protected by the module. This standard specifies the security requirements that are satisfied by a cryptographic module. The standard provides four increasing, qualitative levels of security intended to cover a wide range of potential applications and environments. The security requirements cover areas related to the secure design and implementation of a cryptographic module.

These areas include:
  • Cryptographic module specification
  • Cryptographic module ports and interfaces
  • Roles, services, and authentication
  • Finite state model; physical security
  • Operational environment
  • Cryptographic key management
  • Electromagnetic interference/electromagnetic compatibility (EMI/EMC)
  • Self-tests
  • Design assurance
  • Mitigation of other attacks

The US Government requirements break down FIPS 140-2 into two distinct categories: FIPS 140-2 Certified and FIPS 140-2 Compliant. Compliant is needed when only network management data is encrypted or decrypted, which typically includes SSH, SNMPv3, etc. When the product encrypts and decrypts user data this changes the requirement to FIPS 140-2 Certified. An example of a product that would require FIPS 140-2 certification is wireless, since user data is encrypted and decrypted as it flows across the radio waves.

In ExtremeXOS for all cryptographic functions, applications generally use OpenSSL library. OpenSSL module itself is not validated, so a new carefully defined software component called the OpenSSL FIPS Object Module has been created. It is designed for compatibility with the OpenSSL library so products using the OpenSSL library and API can be converted to use FIPS 140-2 validated cryptography with minimal effort. The most recent open source-based validation is the OpenSSL FIPS Object Module v2.0, FIPS 140-2 certificate #1747.

ExtremeXOS uses both OpenSSL libraries:
  • openssl-1.0.2l—When FIPS Mode is off.
  • openssl-fips-ecp-2.0.16—When FIPS Mode is on.
Note

Note

Digital Signature Algorithm (DSA) is not supported in FIPS mode. After turning on FIPS mode, you need to generate a new SSH host key.

Applications

SSH, SNMP (Simple Network Management Protocol), AAA, and EMS use this mode.