FIPS Compliance

This section applies to customers who want to achieve FIPS compliance for their Microsoft Windows environments.

Microsoft CNG Versions

ActivClient relies on Microsoft Cryptographic Next Generation (CNG) for all its internal cryptographic needs. The Microsoft CNG library is a FIPS 140-2 Level 1 approved cryptographic library. Detailed references to Microsoft FIPS 140 evaluation can be found at http://technet.microsoft.com/en-us/library/cc750357.aspx.

Per Microsoft Security Policy, an approved mode of operations of the library requires verification that the correct version of a number of OS components be verified to insure the use of the module under the approved FIPS policy, per http://technet.microsoft.com/en-us/library/cc750357.aspx

"Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed library with the list of validated binaries."

ActivClient does not verify the versions of the cryptographic modules installed on the platform; it is the customer’s responsibility to make sure that the versions are correct. However, to ease configuration troubleshooting, the ActivClient diagnostic includes the version of the relevant modules. This information can be used to verify that the proper versions of the modules are installed on the end users’ platforms.

It is recommended that customers regularly check for availability of newer FIPS approved CNG versions from NIST or Microsoft’s web sites.

For a list of currently validated FIPS 140 modules, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm.
For more information about FIPS 140 and NIST, go to the NIST web site at http://csrc.nist.gov/groups/STM/cmvp/index.html.

FIPS Policy Flag

The Windows operating system supports a security policy (System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing) which enforces various Microsoft applications to operate in FIPS mode.

The ActivClient installation or administrative template does not act on this Microsoft policy. It is the customer’s responsibility to make sure that this policy is enabled to achieve FIPS compliance.

ActivClient has been tested for compliance with supported Microsoft applications with this flag set.

It has to be noted that:

Neither the Operating System nor ActivClient modify their behavior when this flag is configured; it is the customer’s responsibility to verify that proper (that is, FIPS-compliant) versions of the module are installed, according to the previous section. It is also the responsibility of the calling applications to make sure that only FIPS approved algorithms and key sizes are used.
Setting the FIPS flag might impact the use of some Microsoft products and components (see http://technet.microsoft.com/en-us/library/cc750357.aspx (Effects of Setting FIPS policy flag) and knowledge base http://support.microsoft.com/kb/811833). It is therefore strongly recommended that you make sure there is no functional impact on the ActivClient-enabled applications deployed in the organization.

It is also recommended that you refer to the following Microsoft article on the effect of setting the FIPS policy flag –https://techcommunity.microsoft.com/t5/microsoft-security-baselines/why-we-amp-8217-re-not-recommending-amp-8220-fips-mode-amp-8221/ba-p/701037

ActivClient Compatibility with FIPS Approved Cryptographic Algorithms, Modes, and Key Sizes

ActivClient only relies on FIPS approved cryptographic algorithms, modes and keys size for its internal use. This encompasses:

Use of RSA, AES, 3DES, SHA-2 approved algorithms.
Use of approved key generation for AES and 3DES keys.
Use of approved random generator.

FIPS Compliance for Firefox

Firefox can be configured so that it only uses FIPS approved algorithms and cryptographic modules. Refer to this link for detailed configuration steps required, http://support.mozilla.com/en-US/kb/Configuring%20Firefox%20for%20FIPS%20140-2

FIPS Compliance for PKCS#11

ActivClient supports new mechanisms through its PKCS#11 library, permitting custom applications to use FIPS approved algorithms (AES, SHA-2) in FIPS approved mode of operation.

Internally the ActivClient PKCS#11 library relies on the CNG FIPS approved library for implementation. It is therefore important that proper conditions of use of the CNG library as defined in section Microsoft CNG Versions are also met when custom applications integrate with the ActivClient PKCS#11 library and use the new mechanisms.

FIPS Compliance for Terminal Services

ActivClient supports remote sessions in Microsoft Remote Desktop Service and Citrix XenApp environments.

Due to the smart card redirection supported by the RDP and ICA protocols, all card interactions established by ActivClient installed on the server are redirected to the client. It is therefore very important that you protect the RDP connection properly to guarantee that card commands and responses cannot be intercepted or eavesdropped by an attacker.

Microsoft Remote Desktop Sessions

Starting with Windows Vista, it is possible to configure Windows Terminal Services to leverage the TLS protocol, including host certificate authentication and usage of FIPS approved cryptography. This configuration is recommended over the standard RPC encryption method, which is considered weaker and does not provide host authentication.

This requires configuration of the RDP connection to use the following RDP group policy settings:

Encryption Level to FIPS compliant
Require Secure RPC Communication to Enabled
Require Use of Specific Security Layer for Remote (RDP) Connections to SSL (TLS 1.0 or later)

In this configuration, the RDP connection is protected by the TLS session, the host is authenticated and uses only FIPS approved cipher suites.

Note: This configuration requires RDP Client v6.0 or later.

In addition, RDP connections can be configured with Network Level authentication. In this configuration, user authentication completes before the RDP session is established, reducing resource consumption and risk of denial of service.

Reference to RDP security configuration can be found in:

Server authentication and encryption levels – http://technet.microsoft.com/en-us/library/cc770833.aspx
Network level authentication – http://technet.microsoft.com/en-us/library/cc732713.aspx

Citrix XenApp Sessions

Similar to Microsoft remote desktop sessions, Citrix also supports the use of the TLS 1.0 or later protocol to protect access to a Citrix XenApp server through the ICA protocol.

Citrix recommends using the SSL/TLS protocol over the SecureICA protocol, especially when the RDP server is configured to be accessible from outside LAN areas.

SSL is supported through different Citrix components, depending on the deployment requirements and topology:

Through SSL gateway
Through SSL relay

Citrix also enables configuring the cipher suite; you can select it as a subset of FIPS approved cipher suites.

Internally, Citrix relies on Microsoft CAPI to implement cryptography. The Citrix products do not provide a specific handling of the FIPS policy flag. It is therefore important that proper conditions of use of the CAPI library are met when Citrix products are used.

Refer to Citrix documentation for further information http://docs.citrix.com/.