FIPS140-2 Compliance Statement
Summary
Obsidian Gate 6.x complies with Federal Information Processing Standard 140-2 (FIPS 140-2), which defines the technical requirements to be used by Federal Agencies when these organisations specify cryptographic-based security systems for protection of sensitive or valuable data. The compliance of Obsidian Gate with FIPS 140-2 is ensured by:
Integrating validated and NIST-certified third party cryptographic module(s), and using the module(s) as the only provider(s) of cryptographic services;
Using FIPS-approved cryptographic functions;
Using FIPS-approved and NIST-validated technologies;
Using security controls defined in NIST 800-53, prescribed for cryptographic modules by FIPS 140-2 and applicable for Obsidian Gate design, implementation and operation.
Overview
About Obsidian Gate
Obsidian Gate is an easily installed platform that delivers robust data protection solutions. Access tools enable rapid search and retrieval of encrypted data by transparently decrypting on access after authentication, in accordance with designated permissions. Access is continuously monitored, and management is alerted to any potential or actual security breaches.
About FIPS 140-2
The Federal Information Processing Standards Publication (FIPS) 140-2, “Security Requirements for Cryptographic Modules,” was issued by the National Institute of Standards and Technology (NIST) in May, 2001. The FIPS 140-2 standard specifies the security requirements for cryptographic modules used within a security system that protects sensitive or valuable data. The requirements can be found in the following documents:
- Security Requirements For Cryptographic Modules
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf - Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
Compliant Modules and Technologies
The benefit of using FIPS 140-2 compliant cryptographic modules is that the FIPS-approved cryptographic algorithms are deemed appropriate and that they perform the encrypt, decrypt, and hash functions correctly and in a FIPS-compliant manner.
Modes of Operation
Obsidian Gate and its components can be configured and operated in the following two modes:
Integrating validated and NIST-certified third party cryptographic module(s), and using the module(s) as the only provider(s) of cryptographic services;
Using FIPS-approved cryptographic functions;
FIPS 140-2 Compliant Third Party Modules
Obsidian Gate components are integrated with the third-party FIPS 140-2 compliant cryptographic module BC-FJA (Bouncy Castle FIPS Java API) vers ion 1.0.2.1. When Obsidian Gate is configured to operate in FIPS-compliant mode, its functions and procedures (such as SSL/TLS connections and encryption of stored sensitive data, which require cryptography such as secure hash, encryption, digital signature, and so on) use the cryptography services provided by BC-FJA configured to run in FIPS mode.
The Obsidian Gate components have been implemented in strict accordance with the published security policy for BC-FJA which is available at: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3514.pdf
TLS
All the Obsidian Gate components communications are secured with FIPS-compliant Transport Layer Security TLS1.2 or higher. It is relying on FIPS 140-2 approved hash algorithms and symmetric and asymmetric ciphers.
- TLS handshake, key negotiation, and authentication provide data integrity and make use of secure hash, asymmetric key cryptography and digital signature
- TLS encryption of data in transit provides confidentiality and makes use of symmetric cryptography
TLS usage and recommended configuration is in accordance with SP 800-52 Rev. 2 “Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations” available at https://csrc.nist.gov/publications/detail/sp/800-52/rev-2/final
Secure Hash
Per FIPS 140-2 standards, Obsidian Gate, in the FIPS compliant mode, uses the following secure hash algorithm:
- SHA-512
Symmetric Cryptography
Per FIPS 140-2 standards, Obsidian Gate, in the FIPS 140-2 compliant mode, uses the following symmetric key algorithm:
- AES (GCM) [256 bit key size]
- CCM
Key Agreement
Per FIPS 140-2 standards, Obsidian Gate, in the FIPS 140-2 compliant mode, uses the following asymmetric key algorithm:
- Elliptic Curve Diffie-Hellman with SHA-512 Concatenation
Message Digest
Per FIPS 140-2 standards, Obsidian Gate, in the FIPS compliant mode uses the following digital signature hash algorithm:
- SHA-512
FIPS 140-2 Architecture
Obsidian Gate modules must be run in FIPS-compliant mode.
Supported Platforms
Obsidian Gate supports FIPS mode with the following FIPS-compliant environments:
- JDK8
FIPS-enabled Obsidian Web requires the following:
- A user-generated certificate signed by an approved Certificate Authority
- TLS 1.2 to support the server-client connection for a FIPS-enabled system
Design Assurance
Obsidian Gate uses the security provider BC-FJA (Bouncy Castle FIPS Java API) version 1.0.2.1. This is the only supported security provider for FIPS140-2. Obsidian Gate uses FIPS-compliant cryptography methods for the following:
- Document encryption for data at rest
- RMI over TLS communication between Obsidian Gate components Java keystore and
- Java Runtime Environment
Key Management
Many aspects of key management, such as random number and key generation, are provided by functions of BC-FJA cryptographic module, and thus meet FIPS 140-2 compliance requirements. The application-specific key management functions include:
- Key storage, key protection, and key access functions meet FIPS 140-2 compliance requirements and use the BC-FJA cryptographic module.
- Keys are generated, changed and transported in a protected manner.