Security and Compliance

Compliance with FIPS

Digital security is the highest priority at Thales. To ensure top-notch security for customers, SafeNet Authentication Service adheres to Federal Information Processing Standards encouraged and shared by the US government which help with cyber risk management. It implies that FIPS-approved algorithms are leveraged in cryptographic operations, including cryptographic key generation, storage and distribution, in the SAS application. The following sections outline the configuration and verification of FIPS compliance in SAS machines.

The Microsoft security application EMET 5.52 is removed from SafeNet Authentication Service and is no longer part of SAS PCE compliance practice.

Configure FIPS Mode in SAS Machine

You can enable FIPS mode in your SAS machine by using the following instructions:

1. Press Windows icon on the Taskbar and type Local Group Policy Editor in the search box. The Local Group Policy Editor window is displayed.

2. In the left pane, click Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.

3. Enable System Cryptography: Use FIPS compliant algorithms for encryption, hashing and signing.

Verify FIPS Compliance in SAS Machine

While non-FIPS compliant versions are still supported by SAS PCE, customers may face technical limitations even after enabling FIPS mode in their existing setup. It is recommended to upgrade to version 3.19 or later (as and when available) to make your SAS PCE application fully FIPS compliant.

To check whether FIPS security algorithms are compatible with your application, you need to determine the cipher key length. SAS PCE 3.19 is equipped with cryptographic algorithm enhancements which allow users to verify the cipher key length in the events logs of their Windows machine.

If you are using older versions of SAS PCE, you must upgrade to 3.19 or later (as and when available) to view the cipher key length data.

To verify cipher key length, follow the steps:

1. Log in to SAS as an administrator. The event information would be logged.

   

2. In the Event Viewer app, navigate to Windows Logs > Application to access event log information.

   

3. In the event log list, double-click the latest information as shown in the above image. The Event Properties window opens, displaying cipher key length in the General section.

   

The standard cipher key length values compatible with FIPS algorithms are 16, 24 and 32 bytes. If any other cipher key value is displayed for your login event, contact Thales Customer Support to seek assistance with data migration with FIPS-on mode.

Persistent cookie settings for Self-Service portal

The SelfService_orgUniqueCode cookie contains a unique string associated with an organization, aiding in remembering the organization used with the Self-Service component on the browser. Its content is generated dynamically and is not stored in a database. The value, which is non-sensitive and obfuscated, is computed on the fly; therefore, it does not disclose any personal or sensitive information.

Users can decide whether to keep the persistent cookie or not. To remove the persistent cookie for Self-Service, there is an application setting named RemovePersistentCookie. By default, its value is False, which allows persistent cookies. If its value is set to True, the persistent cookie will be replaced with a session-based cookie.

After an upgrade, the previous settings are restored. You need to change the value as per the requirement.

Perform the following steps to change the value of RemovePersistentCookie:

1. Open IIS Manager.

2. Navigate to Sites > Default Web Site > blackshieldss.

3. In the left pane, click blackshieldss, and then click Application Settings.

   

4. Right-click on RemovePersistentCookie and click Edit.

   

5. In the Edit Application Setting window, in the Value field, enter either True or False based on the requirement and then click OK.

   

If the value of RemovePersistentCookie is set to False, there will be no change to the existing functionality. If its value is set to True, then accessing Self-Service requires using the Self-Service Unique URL that is specified under Self-Service > Self-Service Policy. Since the cookie is lost every time, the session is closed, and hence, the Self-Service Unique URL is necessary to retrieve organization details.