Processing Standard 140 (FIPS 140) is a U.S. Federal Government standard that
specifies a benchmark for implementing cryptographic software. It provides best
practices for using cryptographic algorithms, managing key elements and data
buffers, and interacting with the operating system. An evaluation process that
is administered by the National Institute of Standards and Technology (NIST)
National Voluntary Laboratory Accreditation Program (NVLAP) allows encryption
product vendors to demonstrate the extent to which they comply with the
standard and, thus, the trustworthiness of their implementation.
For more information
about FIPS 140 and NIST, visit the NIST Web site at
- FIPS 140-1, published in 1994,
established requirements for cryptographic modules to provide four security
levels that allowed cost-effective solutions appropriate for different degrees
of data sensitivity and different application environments.
- FIPS 140-2, which superseded FIPS
140-1 in 2002, incorporated changes in standards and technology since 1994.
- FIPS 140-3, which is still in draft,
adds an additional security level and incorporates new security features that
reflect recent advances in technology.
properly, XenApp 6.5 can use FIPS 140-validated cryptographic modules in a
manner that is compliant with FIPS 140-2.
Market for FIPS
community at large values products that follow the guidelines detailed in FIPS
140 and the use of FIPS 140-validated cryptographic modules.
Some U.S. Government
organizations restrict purchases of products that contain cryptography to those
that use FIPS 140-validated modules.
In the U.K.,
guidance published by the Communications-Electronics Security Group (CESG)
recommends the use of FIPS 140-approved products where the required use for
information is below the RESTRICTED classification, but is still sensitive
(that is, data classified PROTECT).
For a list of
currently validated FIPS 140 modules, see
To implement secure
access to application servers and to meet the FIPS 140 requirements, Citrix
products can use cryptographic modules that are FIPS 140-validated in Windows
implementations of secure TLS or SSL connections. The following XenApp
components can use cryptographic modules that are FIPS 140-validated:
- Citrix Receiver and Citrix online
- Web Interface
- SSL Relay
- Secure Gateway for Windows
- Single Sign-on
- Offline applications (streaming)
- Power and Capacity Management
- Configuration Logging
- ICA File Signing
Where these client
and server components communicate with the TLS or SSL connection enabled, the
cryptographic modules that are used are provided by the Microsoft Windows
operating system. These modules use the Microsoft Cryptography Application
Programming Interface (CryptoAPI) and are FIPS 140-validated.
On both Windows
Vista with Service Pack 1 and Windows Server 2008, you must apply Microsoft
hotfix kb954059 (http://support.microsoft.com/kb/954059
) to ensure that
the random number generator used within CryptoAPI and, therefore the underlying
operating system, is FIPS 140-compliant.
FIPS compliance is
achieved as follows:
- According to the Microsoft
FIPS-compliant systems that use FIPS 140-certified cryptomodules can be
deployed by following a prescribed set of steps. These steps include setting a
particular FIPS local policy flag.
- As noted in the Microsoft
documentation referenced above, not all Microsoft components and products check
the FIPS local policy flag. Refer to the Microsoft documentation for
instructions on how to configure these components and products to behave in a
- Similarly, Citrix components do not
check the FIPS local policy flag. Instead, these components must be configured
to behave in a FIPS-compliant manner. Specifically, Citrix components that use
TLS must be configured to use
- RSA_WITH_3DES_EDE_CBC_SHA [RFC 2246]
- RSA_WITH_AES_128_CBC_SHA [FIPS 197,
- RSA_WITH_AES_256_CBC_SHA [FIPS 197,
Given the accuracy
of the above statements, and assuming that all these steps are followed, the
resulting XenApp configuration will use FIPS 140 cryptomodules in a