Product Documentation

FIPS 140 and XenApp

Sep 15, 2015

Federal Information Processing Standard 140 (FIPS 140) is a U.S. Federal Government standard that specifies a benchmark for implementing cryptographic software. It provides best practices for using cryptographic algorithms, managing key elements and data buffers, and interacting with the operating system. An evaluation process that is administered by the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) allows encryption product vendors to demonstrate the extent to which they comply with the standard and, thus, the trustworthiness of their implementation.

For more information about FIPS 140 and NIST, visit the NIST Web site at http://csrc.nist.gov/.

FIPS 140 Versions

  • FIPS 140-1, published in 1994, established requirements for cryptographic modules to provide four security levels that allowed cost-effective solutions appropriate for different degrees of data sensitivity and different application environments.
  • FIPS 140-2, which superseded FIPS 140-1 in 2002, incorporated changes in standards and technology since 1994.
  • FIPS 140-3, which is still in draft, adds an additional security level and incorporates new security features that reflect recent advances in technology.

When configured properly, XenApp 6.5 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2.

Market for FIPS 140-Validated Modules

The security community at large values products that follow the guidelines detailed in FIPS 140 and the use of FIPS 140-validated cryptographic modules.

Some U.S. Government organizations restrict purchases of products that contain cryptography to those that use FIPS 140-validated modules.

In the U.K., guidance published by the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140-approved products where the required use for information is below the RESTRICTED classification, but is still sensitive (that is, data classified PROTECT).

For a list of currently validated FIPS 140 modules, see http://csrc.nist.gov/.

XenApp and Cryptographic Modules

To implement secure access to application servers and to meet the FIPS 140 requirements, Citrix products can use cryptographic modules that are FIPS 140-validated in Windows implementations of secure TLS or SSL connections. The following XenApp components can use cryptographic modules that are FIPS 140-validated:
  • XenApp
  • Citrix Receiver and Citrix online plug-in
  • Web Interface
  • SSL Relay
  • Secure Gateway for Windows
  • Single Sign-on
  • Offline applications (streaming)
  • SmartAuditor
  • Power and Capacity Management
  • Configuration Logging
  • ICA File Signing

Where these client and server components communicate with the TLS or SSL connection enabled, the cryptographic modules that are used are provided by the Microsoft Windows operating system. These modules use the Microsoft Cryptography Application Programming Interface (CryptoAPI) and are FIPS 140-validated.

Note: On both Windows Vista with Service Pack 1 and Windows Server 2008, you must apply Microsoft hotfix kb954059 (http://support.microsoft.com/kb/954059) to ensure that the random number generator used within CryptoAPI and, therefore the underlying operating system, is FIPS 140-compliant.

FIPS Compliance

FIPS compliance is achieved as follows:

  • According to the Microsoft documentation (http://technet.microsoft.com/en-us/library/cc750357.aspx), FIPS-compliant systems that use FIPS 140-certified cryptomodules can be deployed by following a prescribed set of steps. These steps include setting a particular FIPS local policy flag.
  • As noted in the Microsoft documentation referenced above, not all Microsoft components and products check the FIPS local policy flag. Refer to the Microsoft documentation for instructions on how to configure these components and products to behave in a FIPS-compliant manner.
  • Similarly, Citrix components do not check the FIPS local policy flag. Instead, these components must be configured to behave in a FIPS-compliant manner. Specifically, Citrix components that use TLS must be configured to use Government Ciphersuites.
    • RSA_WITH_3DES_EDE_CBC_SHA [RFC 2246]
    • RSA_WITH_AES_128_CBC_SHA [FIPS 197, RFC 3268]
    • RSA_WITH_AES_256_CBC_SHA [FIPS 197, RFC 3268]

Given the accuracy of the above statements, and assuming that all these steps are followed, the resulting XenApp configuration will use FIPS 140 cryptomodules in a FIPS-compliant manner.