FIPS Mode

SafeNet ProtectToolkit-C and the ProtectServer HSM have been certified to Federal Information Processing Standard (FIPS) 140-2 level 3. The FIPS certification assures users that an independent third party has verified that the product meets the high level of security demanded.

NOTE   SafeNet ProtectToolkit-C and the HSM can function outside the scope of this accreditation.  Therefore, to guarantee that the HSM functions in FIPS mode, ensure that the correct configuration is set using the ctconf command given below.

The attributes of the FIPS Mode security policy are:

>No public cryptographic operations.

NOTE   RSA and other public key processing can still occur. The setting restricts cryptographic services from being performed by unauthenticated users.

>No clear PINs allowed

>Authentication protection turned on

>Security policy locked to prevent any change

>Tamper before upgrade

>Only allow FIPS-approved algorithms

FIPS Mode Operational Restrictions

In FIPS mode, operations of certain cryptographic algorithms are restricted to keys with a minimum modulus. Any attempt to use or create a key smaller than the specified minimum will result in a CKR_KEY_SIZE_RANGE error. The minimum key size for verify operations may be smaller, to verify legacy keys created in earlier versions of FIPS mode. The key sizes are restricted as follows:

>RSA: must be 2048, 3072, or 4096 bits (verify - 1024 or 1536 bits)

>DSA: must be 2048, 3072, or 4096 bits (verify - 1024 or 1536 bits)

>DH: must be 2048 bits at minimum

>EC: must be 224 bits at minimum (verify - 160 bits)

Command:

ctconf –fF
 

equivalent to:

ctconf –faclntu


Customer Support Portal

SafeNet ProtectToolkit 5.7 Product Documentation  08 January 2020  Copyright 2009-2020 Gemalto. All rights reserved.