Federal Information Processing Standard 140 (FIPS 140) is a U.S. Federal Government standard that specifies a benchmark for implementing cryptographic software. It provides best practices for using cryptographic algorithms, managing key elements and data buffers, and interacting with the operating system. An evaluation process that is administered by the National Institute of Standards and Technology (NIST) National Voluntary Laboratory Accreditation Program (NVLAP) allows encryption product vendors to demonstrate the extent to which they comply with the standard and, thus, the trustworthiness of their implementation.
FIPS 140-1, published in 1994, established requirements for cryptographic modules to provide four security levels that allowed cost-effective solutions appropriate for different degrees of data sensitivity and different application environments. FIPS 140-2, which superceded FIPS 140-1 in 2002, incorporated changes in standards and technology since 1994. FIPS 140-3, which is still in draft, adds an additional security level and incorporates new security features that reflect recent advances in technology.
Some U.S. Government organizations restrict purchases of products that contain cryptography to those that use FIPS 140-validated modules.
In the U.K., guidance published by the Communications-Electronics Security Group (CESG) recommends the use of FIPS 140-approved products where the required use for information is below the RESTRICTED classification, but is still sensitive (that is, data classified PRIVATE).
The security community at large values products that follow the guidelines detailed in FIPS 140 and the use of FIPS 140-validated cryptographic modules.
To implement secure access to application servers and to meet the FIPS 140 requirements, Citrix products can use cryptographic modules that are FIPS 140 validated in Windows implementations of secure TLS or SSL connections.
Where the client and server components (listed above) communicate with the TLS or SSL connection enabled, the cryptographic modules that are used are provided by the Microsoft Windows operating system. These modules use the Microsoft Cryptography Application Programming Interface (CryptoAPI) and are FIPS 140 validated.
The ciphersuite RSA_WITH_3DES_EDE_CBC_SHA, first defined in Internet RFC 2246 (http://www.ietf.org/rfc/rfc2246.txt), uses RSA key exchange and TripleDES encryption.
This is achieved as follows:
Given the accuracy of the above statements, and assuming that all these steps are followed, the resulting XenApp configuration will use FIPS 140 cryptomodules in a FIPS-compliant manner.
For a list of currently validated FIPS 140 modules, see http://csrc.nist.gov.
For more information about FIPS 140 and NIST, visit the NIST Web site at http://csrc.nist.gov.