Advertised ciphers and cipher suites

In Federal Information Processing Standard (FIPS) transfer mode, SecureTransport 5.5 advertises the following ciphers, cipher suites, or algorithms in the order given. The remote system must use one of them for the file transfer to succeed.

FIPS-compliant TLS cipher suites

In FIPS mode, SecureTransport supports the following ciphers suites for communication over FTPS, HTTPS, AS2, and PeSIT protocols:

  • TLS_AES_256_GCM_SHA384
  • TLS_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CCM
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CCM
  • TLS_RSA_WITH_AES_256_GCM_SHA384
Note From the list of supported algorithms, some are considered as not secure enough and are listed in the <FILEDRIVEHOME>/jre/lib/security/java.security file. If you insist on using any of them, you must manually remove their corresponding entries under jdk.tls.disabledAlgorithms and restart the node.

FIPS-compliant ciphers and algorithms for SSH communication

In FIPS mode, SecureTransport supports the following ciphers and algorithms for the SSH daemon and server-initiated transfers:

FIPS-compliant ciphers

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm@openssh.com
  • aes256-gcm@openssh.com

FIPS-compliant key exchange algorithms

  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group14-sha256
  • diffie-hellman-group15-sha512
  • diffie-hellman-group16-sha512
  • diffie-hellman-group17-sha512
  • diffie-hellman-group18-sha512
  • rsa2048-sha256
  • ecdh-sha2-nistp384

FIPS-compliant MAC algorithms

  • hmac-sha256
  • hmac-sha256@ssh.com
  • hmac-sha2-256
  • hmac-sha2-256-etm@openssh.com
  • hmac-sha512
  • hmac-sha512@ssh.com
  • hmac-sha2-512
  • hmac-sha2-512-etm@openssh.com

FIPS-compliant public key algorithms

  • ssh-rsa
  • x509v3-rsa2048-sha256
  • rsa-sha2-256
  • rsa-sha2-512

Related Links