Advertised ciphers and cipher suites in FIPS mode

In Federal Information Processing Standard (FIPS) transfer mode, SecureTransport 5.4 advertises the following ciphers, cipher suites, or algorithms in the order given. The remote system must use one of them for the file transfer to succeed.

FIPS-compliant TLS cipher suites

In FIPS mode, SecureTransport supports the following ciphers suites for communication over FTPS, HTTPS, AS2, and PeSIT protocols:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Note From the list of supported algorithms, some are considered as not secure enough and are listed in the <FILEDRIVEHOME>/jre/lib/security/java.security file. If you insist on using any of them, you must manually remove their corresponding entries under jdk.tls.disabledAlgorithms and restart the node.

FIPS-compliant ciphers and algorithms for SSH communication

In FIPS mode, SecureTransport supports the following ciphers and algorithms for the SSH daemon and server-initiated transfers:

FIPS-compliant ciphers

  • aes256-cbc
  • aes192-cbc
  • aes128-cbc
  • 3des-cbc
  • aes128-ctr
  • aes192-ctr
  • aes256-ctr

FIPS-compliant key exchange algorithms

  • diffie-hellman-group14-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1

FIPS-compliant MAC algorithms

  • hmac-sha256
  • hmac-sha256@ssh.com
  • hmac-sha512
  • hmac-sha512@ssh.com
  • hmac-sha1
  • hmac-sha1-96
  • hmac-sha2-256
  • hmac-sha2-512

FIPS-compliant public key algorithms

  • ssh-rsa
  • ssh-dss
  • x509v3-sign-rsa
  • x509v3-sign-rsa-sha1

 

Related Links