P. 1
IBMJCE

IBMJCE

|Views: 139|Likes:
Published by h

More info:

Published by: h on Nov 24, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/03/2015

pdf

text

original

IBM Java JCE FIPS 140-2 Cryptographic Module

Security Policy

IBM JAVA JCE FIPS 140-2 Cryptographic Module Revision: 1.5

July 2005

Status: Final
1.5 Edition (July 2005) This edition applies to the 1.5 Edition of the IBMJCEFIPS – Security Policy and to all subsequent versions until otherwise indicated in new editions. © Copyright International Business Machines Corporation 2005. All rights reserved. This document may be freely reproduced and distributes in its entirety and without modification.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems in the US and other countries

Page © Copyright IBM Corp. 2005

Table of Contents
Introduction........................................................................................................................3 Operation of the Cryptographic Module............................................................................4 Changes from Version 1.1 to 1.2 .......................................................................................5 Cryptographic Module Specification.................................................................................5 Cryptographic Module Interfaces ......................................................................................8 Cryptographic Module Services ........................................................................................9 Self Test .........................................................................................................................9 Data Encryption/Decryption and Hashing (Digest).....................................................10 Key Generation ............................................................................................................11 Key Security ................................................................................................................12 Signature ......................................................................................................................12 Secret Key Factory.......................................................................................................13 KeyFactory...................................................................................................................13 Cryptographic Module Roles...........................................................................................14 Cryptographic Officer role...........................................................................................14 Cryptographic User role...............................................................................................14 Cryptographic Module Key Management .......................................................................14 Key Generation ............................................................................................................15 Key Storage..................................................................................................................15 Key Protection .............................................................................................................15 Key Zeroization ...........................................................................................................15 Cryptographic Module Self-Tests....................................................................................16 User Guidance..................................................................................................................16 Cryptographic Module Operating system environment...................................................18 Framework ...................................................................................................................18 Single user access (operating system requirements)....................................................19 Java object model.........................................................................................................19 Operating system restriction ........................................................................................20 Mitigation of other attacks...............................................................................................20 Appendix A: Function List ..............................................................................................21 Notices .............................................................................................................................38

© Copyright IBM Corp. 2005

Page 2 of 39

Introduction
The IBM® Java® JCE (Java Cryptographic Extension) FIPS 140-2 Cryptographic Module (Version 1.2) for Multi-platforms is a scalable, multi-purpose cryptographic module that supports FIPS approved cryptographic operations via the Java2 Application Programming Interfaces (APIs). The IBM Java JCE FIPS 140-2 Cryptographic Module (hereafter referred to as IBMJCEFIPS) comprises the following Federal Information Processing Standards (FIPS) 140-2 [Level 1] compliant components: • IBMJCEFIPS.jar for Solaris®, Windows®, AIX®, z/OS®, AS/400®, Linux® (Red Hat and SuSE®)

In order to meet the requirements set forth in the FIPS publication 140-2, the encryption algorithms utilized by the IBMJCEFIPS provider are isolated into the IBMJCEFIPS provider cryptographic module (hereafter referred to as cryptographic module), which is accessed by the product code via the Java JCE framework APIs. As the IBMJCEFIPS provider utilizes the cryptographic module in an approved manner, the product complies with the FIPS 140-2 requirements when properly configured. This document focuses on the features and security policy provided by the cryptographic module, and describes how the module is designed to meet FIPS 140-2 compliance.

© Copyright IBM Corp. 2005

Page 3 of 39

The application calling the IBMJCEFIPS provider must understand the roles of the APIs. such as keys or cryptographic contexts. to maintain FIPS 140-2 compliance. Crypto Officer vs. The module must be used in one of the specified environments. The module is available as a software module on multiple platforms. An application must use the IBMJCEFIPS provider to enable the use of appropriate cryptographic functions in a FIPS approved manner. The Cryptographic Module Roles section of this document details the APIs that apply to each role. it validates its own integrity. When the module is initialized. The Cryptographic Module Self-Tests section details the internal tests performed by the module. Information on key protection is outlined in the Cryptographic Module Key Management section. The module can provide for protection of sensitive data. It is the application and application administrator’s responsibility to understand and deploy the proper configuration for compliance. © Copyright IBM Corp. The platforms tested are outlined in the Cryptographic Module Specification section of this document.Operation of the Cryptographic Module The cryptographic module must be utilized in a secure manner. An application utilizes the module through the interfaces specified in the Cryptographic Module Interfaces section of this document. as described herein. The module provides for two operator roles: • • Crypto Officer User There is no maintenance role in this cryptographic module. User. A list of the basic services provided through these interfaces may be found in the Cryptographic Module Services section of this document. and verifies the algorithms are functioning correctly. In order to use the module in FIPS mode the User must ensure that only FIPS Approved cryptographic algorithms are being invoked and/or algorithms are used in an approved manner. 2005 Page 4 of 39 . A complete list of all services and details on their usage can be found in the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API Javadoc.

The software module is accessible from Java language programs through an application program interface (API). Some of the available API functions are listed below in the Cryptographic Module Services section. The non-approved MD5 algorithm was added for use by applications that want to implement the TLS protocol. The module is validated to the following FIPS 140-2 defined levels: Overall Security Level 1 © Copyright IBM Corp. New Cipher algorithm called RSAforSSL which does RSA blinding to protect RSA private keys. SHA-384 and SHA-512. The RSAforSSL does RSA blinding to help protect RSA private keys. This class creates a TDES cipher object with CBC mode and no padding using the underlying TDES cipher for actual encryption/decryption.2 version of IBMJCEFIPS: • • • The following hash algorithms have been added: SHA-256. Changes from Version 1. 2005 Page 5 of 39 . Both these signature algorithms are non-FIPS Approved.2 The following was added to the 1.1 to 1. The TDCP class was added. Added a SecureRandom alias called FIPSPRNG. DES algorithm was removed from the module considering that NIST would be phasing DES out soon. • • • • Cryptographic Module Specification The cryptographic module is a software module. implemented as a Java archive (JAR).The module’s physical security relies on the physical security of the computer. Steps to deploy and maintain this secure environment are outlined in the User Guidance section of this document. Usage guidelines and details of the full API function set are available in the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API Javadoc. RSAforSSL can only be used for key wrapping/unwrapping in a FIPS mode. Signature algorithms named DSAforSSL and RSAforSSL that create and verify signatures but require the application to hash the data before it is passed into these algorithms. This is equal to doing RSA\SSL\PKCS1Padding using the RSA cipher algorithm name.

2005 Page 6 of 39 . Services.Cryptographic Module Specification Cryptographic Module Ports and Interfaces Roles. and Authentication Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC Self-Tests Design Assurance Mitigation of Other Attacks Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 Security Level 1 © Copyright IBM Corp.

2005 Page 7 of 39 .2.4. as well as. CBC. Since.3.5 of the Implementation Guidance for FIPS 140-2.4. JVMs at the 5.x level and 1. Red Hat Linux. The module supports the following approved algorithms: Type Symmetric Cipher Algorithm AES (ECB. z/OS® and IBM Operating System/400.As outlined in section G. and Microsoft Windows XP® operating systems. provided: • The GPC uses the specified single user operating system/mode specified on the validation certificate.1 FIPS 198a FIPS 186-2 Specification FIPS 197 FIPS 46-3 FIPS 180-2 © Copyright IBM Corp. Microsoft Windows Me®. at FIPS 140-2 Security level 1 the validation is independent of the Operating System. 1. Microsoft Windows 2000®.x level. the module maintains its compliance on other operating systems. Solaris. this validation is also applicable to AIX. • The IBMJCEFIPS provider was tested on a machine running Microsoft Windows XP Professional operating system in single-user mode with JVM 1. SuSE® Linux. or another compatible single user operating system. CBC. The software module maintains compliance when running on the Microsoft Windows 95.1 level on those operating systems. Microsoft Windows NT®. OFB and CFB modes) Message Digest SHA1 SHA-256 SHA-384 SHA-512 HMAC–SHA-1 Random Number Generation FIPS 186-2 Appendix 3. and The source code of the software cryptographic module does not require modification prior to recompilation to allow porting to another compatible single user operating system. HP. OFB and CFB modes) Triple DES (ECB. ® Microsoft Windows 98®.

pat.S. Thus. Patented by IBM.Digital Signature Digital Signature Random Number Generation DSA (512 – 1024) RSA (1024 – 2048) FIPS 186-2 (Appendix 3.1) (SHA-1 based) FIPS 186-2 PKCS#1 v1. No.5 FIPS 186-2 In addition. EP1081591A2. 2005 Page 8 of 39 . the module supports the following non-approved algorithms: Type Random Number Generation Algorithm Universal Software Based Random Number Generator Specification Available upon request from IBM. mouse. RCF 1321 (Allowed for use within the TLS protocol). the module’s physical interfaces consist of those found as part of the computer’s hardware. EC Pat. PKCS #1 with and without blinding (Allowed in the Approved mode for key transport) PKCS #3 (Allowed in Approved mode) Allowed for use within the TLS protocol Allowed for use within the TLS protocol Message Digest Asymmetric Cipher MD5 RSA Key Agreement Digital Signature Digital Signature Diffie-Hellman (256 –1024) DSAforSSL RSAforSSL Cryptographic Module Interfaces The cryptographic physical boundary is defined at the perimeter of the computer system enclosure on which the cryptographic module is to be executed. The RAM and hard disk found on the computer are memory devices that store and execute the cryptographic module and its data. and includes all the hardware components within the enclosure. disk © Copyright IBM Corp. The cryptographic module interfaces with the Central Processing Unit (CPU) of the respective platform. Pend. such as the keyboard. The cryptographic module is classified as a “multi-chip standalone module” for FIPS 140-2 purposes. U.

network adapters. The following is a high level description of the basic capabilities available in the cryptographic module (all services are for the user role unless otherwise noted). The module’s logical interface is provided through the documented API. © Copyright IBM Corp. Each of the FIPS 140-2 defined logical interfaces are implemented as follows: • • • • Data Input Interface – variables passed in with the API function calls Data Output Interface – variables passed back with the API function calls Control Input Interface – the API function calls exported from the module Status Output Interface – return values and error exceptions provided with the API method calls Cryptographic Module Services The module services are accessible from Java language programs through an Application Program Interface (API). The application will be required to call the IBMJCEFIPS provider (as opposed to another JCE provider) through the normal Java 2 mechanisms such as specifically adding the provider name to the getInstance call as part of the instantiation of a cryptographic object or by placing the IBMJCEFIPS provider higher in the provider list and allowing the JVM to select the first provider that has the requested cryptographic capability. This is intended to outline the basic services available in the cryptographic module to allow a determination as to whether these services will adequately address the security needs of an application. monitor. speakers. Usage guidelines and details of the API function are available in the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API Javadoc. serial and USB ports. 2005 Page 9 of 39 . Usage guidelines and details of all of the API functions are available in the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API Javadoc.drive. etc. CD drive. Self Test This section describes some of the capabilities that are available as they relate to the self test the cryptographic module performs to validate its own integrity and to verify the algorithms are functionally correct.

Call is based on a SelfTest object returned from the getSelfTest call. Call is based on a SelfTest object returned from the getSelfTest call. Identifies if the cryptographic operation is FIPS 140-2 validated. GetSelfTestFailure RunSelfTest IsFipsRunnable IsFipsCertified GetFipsLevel GetSelfTest IsFipsApproved Data Encryption/Decryption and Hashing (Digest) This section describes some of the capabilities that are available as they relate to encryption/decryption (Cipher) of data and digesting or hashing (MessageDigest) of data. Call is based on a provider object. Performs the known answer self tests. Returns a SelfTest object that can be used to execute any of the SelfTest class methods. Call is based on a SelfTest object returned from the getSelfTest call. Returns the FIPS 140-2 validation level of the cryptographic module.Services IsSelfTestInProgress Description Identifies if a self test is currently in progress. has completed self test with no errors. Services getInstance Description Creates a cryptographic object (Cipher/MessageDigest) for a selected algorithm. Call is based on a provider object. 2005 . Also used to select the Page 10 of 39 © Copyright IBM Corp. This is a Cryptographic Officer role. Call is based on a cryptographic object. call. Call is based on a provider object. Returns the exception associated with the self test failure or null if no failure was encountered. Call is based on a SelfTest object returned from the getSelfTest call. Identifies if the crypto module is runnable. and is in “Ready” state. Identifies if the cryptographic module is FIPS 140-2 validated.

This call is based on a cryptographic object Init Cipher. Description Init GenerateKey Services © Copyright IBM Corp. Also used to select the cryptographic provider to be used by that object. Updates the cryptographic object with data to be encrypted/decrypted. MD5 hashing. This call is based on a cryptographic object. SHA-256. 2005 Page 11 of 39 .getInstance MessageDigest. Services getInstance KeyGenerator. This call is based on a cryptographic object. Cipher allows for 3DES.getInstance Descritption Creates a cryptographic object (KeyGenerator) for a selected algorithm.init MessageDigest. SHA-512. Generates a cryptographic key.update doFinal Cipher. SHA-384. MessageDigest allows for SHA-1.Cipher. This call is based on a cryptographic object.getInstance cryptographic provider to be used by that object. and AES algorithms with various cipher modes and paddings. Intitializes the cryptographic object for use. Intitializes the cryptographic object for use. This call is based on a cryptographic object. Updates the cryptographic object with data to be encrypted/decrypted and returns the data in encrypted or decrypted form (based on the init).doFinal Key Generation This section describes some of the capabilities that are available as they relate to keys.init Update Cipher.update MessageDigest. This includes the mode (encryption or decryption) and the cryptographic key.doFinal MessageDigest.

Also used to select the cryptographic provider KeyPairGenerator. This call is based on a cryptographic object. Generates a cryptographic key pair. Service getInstance Signature. nce getInstance initialize generateKeyPair Intitializes the cryptographic object for use. This call is based on a cryptographic object. Service (crypto key object).Creates a cryptographic object (KeyPairGenerator) for a selected algorithm. zeroize Description Zeros out the key(s) associated with a cryptographic object. Key Security In accordance with the FIPS 140-2 standards this cryptographic module provides the user of keys the ability to zero out the key information via a new API. Signature This section describes some of the capabilities that are available as they relate to signature generation and verification. Update a byte or byte array in the data to be signed or verified. Also used to select the cryptographic provider to be used by that object. This includes the cryptographic private key. This call is based on a cryptographic object. Intitializes the cryptographic object for use. This call is based on a cryptographic object.getInsta to be used by that object.getInstance Description Creates a cryptographic object (Signature) for a selected algorithm. This call is based on a cryptographic object. 2005 Page 12 of 39 . InitSign Update © Copyright IBM Corp.

This call is based on a cryptographic object. InitVerify verify Secret Key Factory This section describes some of the capabilities that are available as they relate to symmetric keys. 2005 . Generates a private key object from the provided key specification (key material). Also used to select the cryptographic provider to be used by that object Generates a public key object from the provided key specification (key material). Returns a specification (key material) of the given key in the requested format. This includes the cryptographic public key. This call is based on a cryptographic object. This call is based on a cryptographic object. Intitializes the cryptographic object for use. GetKeySpec generateSecret KeyFactory This section describes some of the capabilities that are available as they relate to asymmetric keys. Generates a SecretKey object from the provided key specification (key material).Sign Get message digest for all the data thus far updated. Also used to select the cryptographic provider to be used by that object. then sign the message digest. Page 13 of 39 GeneratePublic GeneratePrivate © Copyright IBM Corp. GetInstance Creates a cryptographic object (KeyFactory) for a selected algorithm. Verify the signature (compare the result with the message digest). Service GetInstance Description Creates a cryptographic object (SecretKeyFactory) for a selected algorithm.

getKeySpec Returns a specification (key material) of the given key object in the requested format. DSA public/private keys. Cryptographic Officer role The Crypto Officer role has responsibility for initiating on-demand self test diagnostics. AES. meeting all FIPS 140-2 level 1 requirements for roles and services. Operators of the module have full access to key material.provided key specification (key material). A Maintenance Role is not implemented. Cryptographic Module Key Management The module supports the use of the following cryptographic keys: Diffie-Hellman public/private keys. Only one role is implicitly active in the module at a time. © Copyright IBM Corp. User guidance information is available in the IBMJCEFIPS provider Cryptographic Module API document. Triple DES. These keys are accessed by calling the various cryptographic services specified in the IBMJCEFIPS provider Cryptographic Module API Javadoc. RSA public/private keys. and HMAC-SHA1. There is no maintenance role. Cryptographic User role The User role has the responsibility for operating cryptographic functions on data. Cryptographic Module Roles The cryptographic module implements both a Crypto Officer and a User role. The module does not provide authentication for any role. This is accomplished through the runSelfTest API call described in the IBMJCEFIPS provider Cryptographic Module API document. 2005 Page 14 of 39 .

The patented scheme.Key Generation Symmetric keys are generated using the FIPS Approved FIPS 186-2 (Appendix 3. The Universal Software Based True Random Number Generator is used to create a random seed value that is used in the PRNG algorithm. Only one instance of the module is available in each process space. and will be dependent on the type of system.1 and 3. 2005 Page 15 of 39 . Key Storage We do not support key storage within the IBMJCEFIPS cryptographic module. DSA and RSA key pairs are generated as defined in FIPS 186-2. It is assumed that a unique process space is allocated for each request. Key Zeroization All cryptographic keys and contexts are zeroized when an operator: © Copyright IBM Corp. process scheduling. interrupts. The run time of the algorithm will vary depending of the state of the system at the time of seed generation. and that the operating system and the underlying central processing unit (CPU) hardware control access to that space. if a seed value is not supplied to the PRNG by the user. utilizes random events influenced by concurrent activities in the system (e. called the Universal Software Based True Random Number Generator.g. Each instance of the cryptographic module is self-contained within a process space. along with public and private keys are generated using the random number algorithms as defined in FIPS 186-2. All keys are associated with the User role. etc). Key Protection The management and allocation of memory is the responsibility of the operating system. IBM has invented a scheme to generate randomness on a wide range of computer systems. DSA parameters.3) pseudo random-number generation algorithm.

conditional tests are performed when asymmetric keys are generated and random number generators are invoked. SHA-512. User Guidance Programming practices This section contains guidance for application programmers to avoid practices that could potentially compromise the secure use of this cryptographic module. 2005 Page 16 of 39 . The integrity of the module is verified by performing a HMAC-SHA1 validation of the cryptographic module’s classes contained in the module’s jar file. This initialization route automatically executes the power up tests to ensure correct operation of the cryptographic algorithms. AES. Power-up self-tests include known answer tests for the RSA.• • • Disposes of a key using the zeroize API call for that key object. SHA-256. Triple DES. When Java garbage collection is performed for an object no longer referenced. the module transitions to the Error state. HMAC SHA1 cryptographic algorithms and pseudo random number generation. These tests include a continuous random number generator test and pair-wise consistency tests of the generated DSA and RSA keys. These self tests can also be run on demand by the cryptographic officer via the runSelfTest method. SHA-384. Should any self-test fail. Powers off the module by unloading it from memory Cryptographic Module Self-Tests When an application references the cryptographic module within the JVM in its process space. SHA1. DSA. • Zeroize .the zeroize method should be used when a cryptographic key object is no longer needed to remove the key from memory. as part of the objects finalize method. an initialization routine is called by the JVM before control is handed to the application. The initialization route will only succeed if the HMAC is valid. Diffie-Hellman. Additionally. While normal Java garbage collection will zeroize the key from memory as part of the © Copyright IBM Corp.

One way to help alleviate performance problems is by creating a single source of randomness (IBMSecureRandom or FIPSPRNG) and using that object when ever possible. As the Java architecture creates objects that are unique to the application and this allows for “single” user access to the cryptographic operations and data it is recommended that an application not create static objects. • An application that wishes to use FIPS validated cryptography must use the IBM Secure Random algorithm associated with the IBMJCEFIPS provider for the source of random data needed by algorithms. as all users of the JVM share these objects. • Statics – To ensure that each cryptographic object is unique and accessible only by the individual user it is important not to use static objects.object finalizer method it is a safer coding practice to explicitly call the zeroize method when an application is finished with a key object. RSA Cryptographic Cipher may only be used to Encrypt and Decrypt keys for transport to stay within the boundaries of the Approved Mode of FIPS 140-2 Level 1. Any other use will cause the application to be in non-compliance. Static objects are shared in the Java architecture and the creation of a static object would be counter to the unique object method of controlling access and data. • • • Installation and Security rules for using IBMJCEFIPS This section contains guidance for the installation and use of the FIPS 140-2 level 1 cryptographic module. RSAforSSL and DSAforSSL can only be used if the user is implementing the TLS protocol for Secure Sockets. The application will be required to call the IBMJCEFIPS provider (as opposed to another JCE provider) through the normal Java 2 mechanisms such as specifically adding the provider name to the getInstance call as part of the instantiation of a cryptographic object or by placing the IBMJCEFIPS provider © Copyright IBM Corp. MD5. The IBMJCEFIPS provider jar file must be accessible via the Java CLASSPATH and should be installed in the directory lib/ext as this is a secure location and is also automatically available via the JVM without a CLASSPATH update. 2005 Page 17 of 39 .

2.1"). For more information about this. Cryptographic Module Operating system environment Framework The cryptographic module is dependant on the operating system environment being set up in accordance with FIPS 140-2 specifications.1 and its providers will engage in mutual authentication.2.2.0 or higher already contains the JCE framework). The following is a brief overview of the JCE framework (A more detailed explanation of this framework is available at (http://java.1 or higher JVM that includes the Java Cryptographic Extension framework (Version 1.higher in the provider list (in java. each provider does do self-integrity checking to ensure that the JAR file containing its code has not been tampered with.2. will become usable in the JCE 1. Only providers that have authenticated JCE 1.4. A valid commercial grade installation of a Java SDK 1.2.2.html#MutualAut h) In order to prevent unauthorized providers from plugging into the JCE 1.1. 2005 Page 18 of 39 .com/products/jce/doc/guide/HowToImplAProvider.2. In addition.1.3.sun.2. For this cryptographic provider a valid commercial grade installation of a Java SDK 1.1 services must also be digitally signed. JCE 1.1 environment.2. please see the above web page. and who in turn have been authenticated by JCE 1. In addition to the SDK and the JCE framework the IBMJCEFIPS provider is required.security) and allowing the JVM to select the first provider that has the requested cryptographic capability. (Please note that a JVM at 1.3.1 that they plug into. and to assure authorized providers of the integrity and authenticity of the JCE 1.1 framework (herein referred to as "JCE 1. The JCE 1.1 framework is digitally signed.1 or higher JVM must be available.2. Providers that provide implementations for JCE 1.1) is required. Authentication includes verification of those signatures and ensuring the signatures were generated by trusted entities. © Copyright IBM Corp.

there are two trusted Certification Authorities: Sun Microsystems' JCE Code Signing CA. Both JCE 1. the operating system must be configured to operate securely and to prevent remote login. Java object model The use of Java objects within the cryptographic module. The Windows Operating Systems can be configured in a single user mode by disabling all user accounts except the administrator.1 and provider packages do embed within themselves the bytes for the certificates for the relevant trusted Certificate Authorities. Currently. Thus when an application generates a © Copyright IBM Corp.Certain Certificate Authorities are deemed to be "trusted" and any code signed using a certificate that can be traced up a certificate chain to a certificate for one of the trusted Certificate Authorities are considered trusted. and server) and disallowing multiple operators to log in at once.2. Additionally. The following explains how to configure a Unix system for single user. This can be done through the Computer Management window of the operating system. and IBM JCE Code Signing CA. ssh. the embedded certificates will be used in determining whether or not code is authentic. Single user access (operating system requirements) This cryptographic module adheres to the FIPS 140-2 level 1 requirement that the operating system must be restricted to a single operator mode (concurrent operators are explicitly excluded). The general idea is across all Unix variants: • • • Remove all login accounts except “root” (the superuser). the application is required to call the IBMJCEFIPS provider (as opposed to another JCE provider) through the normal Java 2 mechanisms such as specifically adding the provider name to the getInstance call as part of the instantiation of a cryptographic object or by placing the IBMJCEFIPS provider higher in the provider list and allowing the JVM to select the first provider that has the requested cryptographic capability. This can be done by disabling any service (within the Administrative tools) that provider remote access (e. – ftp. telnet. 2005 Page 19 of 39 . In order to insure that an application is using the FIPS validated cryptographic module. In Java each cryptographic object is unique. At runtime. remote command execution and file transfer daemons. Disable NIS and other name services for users and groups.g. Turn off all remote login.

© Copyright IBM Corp. IBM's tests with popular de-compilers (e.cryptographic object for use that object is unique to that instance of the application. In this regard other processes have no access to that object and can therefore not interrupt or gain access to the information or activities contained within that object. then no cryptographic objects for the IBMJCEFIPS provider in the JVM will be operational as the cryptographic module would be in “Error” state. Mitigation of other attacks The IBMJCEFIPS provider has been obfuscated. The commercial product KlassMaster provides code obfuscation. As the Java architecture creates objects that are unique to the application and this allows for “single” user access to the cryptographic operations and data. Jasmine) has shown that de-compiled IBMJCEFIPS code for Java code cannot be compiled and used without extensive alteration RSA Blinding has been added to the RSA Signing and RSA encryption function to help mitigate timing attacks. Static objects are shared in the Java architecture and the creation of a static object would be counter to the unique object method of controlling access and data.g. 2005 Page 20 of 39 . It is recommended that an application not create static objects. In other words if the Self Test fails. Further as the Self Test class is a Java static object there can be only one instance of that class in the JVM and that instance controls the Self Test activities. Operating system restriction The operation of the cryptographic module is assumed to be in single user mode in that only one user is on the system at any point in time. No other mitigation of other attacks is provided. In this way the cryptographic module protects the single users control of the cryptographic activities and data. This level of optimized code makes it difficult to decompile and reuse the derived source code.

provider. November 2001. AESKeySpec(byte[]. AESKeySpec(byte[]) .ibm.ibm. http://csrc. AESKeyFactory() . AESKeyGenerator .Constructor for class com. 22 April 2002.fips.Constructor for class com.provider.crypto.gov/encryption/kms/key-wrap.fips. AESCipher .ibm.class com.fips.AESKeyGenerator.AESKeySpec Uses the bytes in key as the key material for the AES key.AESKeyFactory.provider.fips. OFB. CFB. Internet.crypto.fips. Federal Information Processing Standards Publication 140-2.provider.provider.crypto.Constructor for class com.class com.nist.Constructor for class com.fips. This class specifies a AES key.fips. This class generates a secret key for use with the AES algorithm. int. A addIdentity(Identity) .provider.ibm. AES Key Wrap Specification.AESKeySpec © Copyright IBM Corp. AESKeySpec . String) . int) .provider.IdentityDatabase Adds an identity to the database. [2] National Institute of Standards and Technology.Method in class com. Security Requirements for Cryptographic Modules.AESKeyFactory Verify the JCE framework in the constructor. PCBC) and padding schemes (PKCS5Padding.provider. 2005 Page 21 of 39 .ibm.crypto.fips.AESCipher Creates an instance of AES cipher with default ECB mode and PKCS5Padding.crypto.Constructor for class com.class com.ibm.provider.ibm.AESCipher Creates an instance of AES cipher with the requested mode and padding.provider.crypto.ibm.crypto.crypto. CBC. This class implements the AES algorithm in its various modes (ECB.References [1] National Institute of Standards and Technology.crypto.class com. AESCipher(String.crypto.pdf Appendix A: Function List The following is a list of the public functions found in this module.AESKeyGenerator Verify the JCE framework in the constructor.Constructor for class com.ibm.fips.AESKeySpec. AESKeyGenerator() .fips.ibm.AESCipher.crypto. This class implements the AES key factory of the IBMJCEFIPS provider. AESCipher() .provider. May 2001. NoPadding). AESKeyFactory . Please refer to the IBM Java JCE FIPS (IBMJCEFIPS) Cryptographic Module API document.ibm.fips.

crypto.fips.crypto. -------------------------------------------------------------------------------C CipherWithWrappingSpi .fips.provider.ibm.crypto.ibm.SHA2 Clones this object.ibm. This class implements the parameter (IV) used with the AES algorithm in feedback-mode.package com.provider.SHA Clones this object.provider. clone().crypto.provider.ibm.SHA3 Clones this object.provider. AESSecretKey . clone().HmacSHA1 Clones this object.ibm.ibm.fips. clone(). com. This class represents an AES key.crypto.ibm.fips.provider.AESParameters.provider.fips.Method in class com.crypto.fips.provider.crypto.Method in class com.ibm. clone() .ibm.ibm.crypto. CipherWithWrappingSpi() . This class can be used to identify if the cryptographic operation (algorithm) is FIPS certified -------------------------------------------------------------------------------B BEGIN_CERT .Uses the bytes in key.ibm.CipherWithWrappingSpi This is the constructor for this class.provider.AESSecretKey.fips. as the key material for the AES key.Method in class com.class com.crypto.AESParameters This is the constructor for this class.CipherSpi class with a concrete implementation of the methods for wrapping and unwrapping keys.Constructor for class com.CipherWithWrappingSpi.ibm.ibm.provider.fips.Static variable in class com.fips.ibm.fips. 2005 Page 22 of 39 .SHA5 Clones this object.AlgorithmStatus.fips.class com.crypto.Constructor for class com.Method in class com. clone() .provider. AESParameters .class com.Method in class com. clone().provider.crypto.interface com. beginning at offset inclusive.fips.crypto. AESParameters() . AlgorithmStatus .ibm.provider .X509Factory String that identifies the beginning of a certificate.fips.crypto.crypto.Method in class com. This class extends the javax.provider.crypto.fips.MD5 Clones this object.crypto.provider The package for this cryptographic module. © Copyright IBM Corp.fips.

fips.fips.ibm.crypto.-------------------------------------------------------------------------------D DatawithDSA . DESedeParameters() .fips.provider.fips.provider.DatawithRSA.Constructor for class com. CFB.provider.crypto.fips.ibm.provider.provider. NoPadding).crypto.class com.ibm.crypto.class com.DESedeCipher Creates an instance of DESede cipher with default ECB mode and PKCS5Padding.DESedeKeyFactory.fips.ibm. This class represents a DES-EDE key.DESedeKeyGenerator Verify the JCE framework in the constructor.ibm.ibm.provider.provider. String) .fips.provider.DESedeParameters This is the constructor for this class.crypto.class com.provider. DESedeCipher() . DESedeKeyFactory() .provider.DatawithDSA. DESedeKeyFactory .crypto. DESedeCipher(String. OFB.ibm.ibm.Constructor for class com. This class generates a Triple DES key. DatawithRSA() .ibm.class com.Constructor for class com.crypto. DESedeParameters . © Copyright IBM Corp. This class implements the triple-DES algorithm (DES-EDE) in its various modes (ECB.ibm.crypto.fips. DESedeKeyGenerator() . DESedeKey .class com. DatawithRSA .DESedeKeyGenerator.fips.crypto.ibm.provider. 2005 Page 23 of 39 .fips. This class implements signature without this algorithm doing the hashing with RSA.fips. CBC.fips. This class implements the DES-EDE key factory of the IBMJCEFIPS provider.DESedeKey.crypto.ibm.ibm. This class implements the parameter (IV) used with the Triple DES algorithm in feedback-mode.DatawithDSA Constructs a new instance of this class.crypto.DESedeParameters.class com.Constructor for class com.crypto.fips. DHKeyAgreement .provider.DESedeCipher Creates an instance of DESede cipher with the requested mode and padding. DESedeKeyGenerator .fips.class com.ibm. PCBC) and padding schemes (PKCS5Padding.crypto.Constructor for class com.fips.provider.provider.Constructor for class com.class com. DESedeCipher .DHKeyAgreement.provider. DatawithDSA() .DESedeKeyFactory Verify the JCE framework in the constructor.crypto.DESedeCipher.crypto.ibm.DatawithRSA Construct a blank RSA object.Constructor for class com.

DHKeyFactory Verify the JCE framework in the constructor.ibm.ibm. DHKeyFactory . DHParameterGenerator() .provider.crypto.provider.crypto. DHKeyAgreement() .crypto.fips. DHParameters() .fips.class com.fips.DHKeyFactory.crypto.crypto.DHPublicKey.crypto.fips.ibm.class com.DHParameters This is the constructor for this class. This class is a concrete implementaion of key factory for DSA.fips.DHParameterGenerator. 2005 Page 24 of 39 .fips.crypto. DHKeyFactory() . DSAParameterGenerator .DHKeyPairGenerator This is the constructor for this class. A private key in PKCS#8 format for the Diffie-Hellman key agreement algorithm.provider.crypto.Constructor for class com.DSAKeyFactory.ibm.provider.Constructor for class com.ibm.ibm.provider.fips.Constructor for class com.class com.fips.crypto.fips.DHParameterGenerator This is the constructor for this class.provider.provider.DHKeyAgreement Verify the JCE framework in the constructor.ibm.crypto.class com.fips.DSAKeyPairGenerator This is the constructor for this class.DHParameters. This class is a concrete implementation for the generation of a pair of DSA keys DSAKeyPairGenerator() .provider.crypto.DSAKeyFactory Constructs a new instance of this class.DHKeyPairGenerator.509 format for the Diffie-Hellman key agreement algorithm. DHKeyPairGenerator() .ibm.class com.ibm.class com.DSAParameterGenerator. © Copyright IBM Corp. DHKeyPairGenerator . DHParameterGenerator .ibm.DHPrivateKey. DHPrivateKey .crypto.class com.crypto.ibm. This class represents the key pair generator for Diffie-Hellman key pairs.crypto. DHPublicKey . DSAKeyFactory() .fips.provider.Constructor for class com.ibm.DSAKeyPairGenerator.provider.provider.fips.provider.This class implements the Diffie-Hellman key agreement protocol between any number of parties.provider.class com.provider.provider.crypto.ibm.fips.crypto. This class is used to generate DH parameters. This class implements the Diffie-Hellman key factory of the IBMJCEFIPS provider.class com.provider.Constructor for class com. A public key in X.Constructor for class com.ibm. DSAKeyPairGenerator .Constructor for class com.ibm. DHParameters .fips. DSAKeyFactory .fips.fips. This class implements the parameter set used by the Diffie-Hellman key agreement as defined in the PKCS #3 standard.ibm.

class com.provider.ibm.509 private key for the DSA Algorithm.crypto.crypto.crypto.509 public key for the DSA Algorithm.ibm.Static variable in class com. 2005 Page 25 of 39 . DSAParameters .fips.ibm.Constructor for class com.fips.Method in class com.provider. engineGenerateCertificates(InputStream) .crypto. This class implements Digital Signature Algorithm paremters specified by com.fips.Method in class com.509 certificate object and initializes it with the data read from the input stream is.ibm.fips. engineGenerateCertPath(InputStream.ibm.This class generates parameters for the DSA signature.fips.provider.DSAParameterGenerator Constructs a new instance of this class. DSAPublicKey .X509Factory Generates a CertPath object and initializes it with the data read from the input stream inStream.ibm.fips.fips.crypto.Method in class com.ibm. This class represents an X.Method in class com.ibm.Method in class com.provider.ibm.fips.provider.X509Factory Generates a CertPath object and initializes it with the list of certificates supplied.X509Factory © Copyright IBM Corp. DSAParameterGenerator() .fips.provider 186 standard.Method in class com.class com.X509Factory Generates a CertPath object and initializes it with the data read from the input stream inStream.DSAPublicKey.crypto.provider. engineGenerateCRL(InputStream) .fips.fips.X509Factory Generates an X.Constructor for class com.provider. -------------------------------------------------------------------------------E END_CERT .crypto.crypto.fips.provider.provider.X509Factory Generates an X.provider.crypto.Method in class com. String) .ibm.X509Factory Returns a (possibly empty) collection view of X.ibm.provider.crypto.class com.X509Factory engineGenerateCertificate(InputStream) .509 certificates read from the given input stream is.fips.crypto.fips.crypto.provider. This class represents an X.509 certificate revocation list (CRL) object and initializes it with the data read from the given input stream is.ibm. engineGenerateCertPath(List) . DSAParameters() .ibm.crypto.DSAPrivateKey. DSAPrivateKey .crypto.provider.DSAParameters.DSAParameters This is the constructor for this class. engineGenerateCRLs(InputStream) . engineGenerateCertPath(InputStream) .ibm.

crypto. Run time exception class.ibm.provider.FIPSRuntimeException Constructs a FIPSRuntimeException with no detail message.Constructor for class com.SecureRandom Generates random data of the length of the array passed in.crypto. equals(Object) .ibm. such as CBC or CFB.fips.Method in class com.fips.crypto.fips.Method in class com.X509Factory Returns the encodings supported by this certification path factory.FIPSRuntimeException Constructs a FIPSRuntimeException with the specified detail message.fips.interface com.Returns a (possibly empty) collection view of X.DESedeKey Determines if the passed in object is equal to this object.Method in class com.ibm. engineGenerateSeed(int) .fips.FIPSRuntimeException.provider.IdentityDatabase Initialize an identity database from a stream.DHPrivateKey Determines if the passed in object is equal to this object. FIPSRuntimeException .IdentityDatabase Initialize an IdentityDatabase from file.Static method in class com.provider.provider.fips.Method in class com.SecureRandom Generates a seed of the length passed in. fromFile(File) .fips.Static method in class com.provider.Method in class com.crypto. equals(Object) .SecureRandom Sets the set based on the byte array passed in.crypto.ibm.crypto. engineNextBytes(byte[]) .crypto.crypto.exception com. -------------------------------------------------------------------------------- © Copyright IBM Corp.fips.provider.ibm.ibm.ibm.Method in class com.crypto. -------------------------------------------------------------------------------F FeedbackCipher . engineGetCertPathEncodings() . 2005 Page 26 of 39 .fips.ibm.ibm.crypto.FeedbackCipher.DHPublicKey Determines if the passed in object is equal to this object.fips. FIPSRuntimeException(String) .provider. This interface represents the type of cipher that has a feedback mechanism built into it.ibm.fips. fromStream(InputStream) .ibm.fips.provider.Method in class com.provider. equals(Object) .ibm.provider.provider.crypto.509 CRLs read from the given input stream is. with the default encoding first.fips.Constructor for class com.provider.provider. FIPSRuntimeException() .ibm. engineSetSeed(byte[]) .crypto.crypto.

provider.DESedeKey Get the encoding of the key.509" © Copyright IBM Corp.provider. generateKeyPair() .Method in class com.fips.fips.ibm.Method in class com.fips.ibm.fips.Method in class com.ibm.Method in class com.Method in interface com.fips.Method in class com. getAlgorithm() .crypto.crypto.fips.ibm.ibm. getEncoded() .provider.crypto.Method in class com.ModuleStatus Method returns the cryptographic modules FIPS 140-2 certification level getFormat() .crypto.crypto.DHKeyPairGenerator Generates a key pair.ibm. getAlgorithm() . getEncoded() .fips.provider. 2005 Page 27 of 39 .DESedeKey Returns the algorithm of this key.AESSecretKey Get the encoding of the key.DHPrivateKey Returns the encoding format of this key: "PKCS#8" getFormat() .fips.crypto.RSAKeyPairGenerator Generates a key pair.Method in class com.provider.fips.Method in class com.ibm.crypto.fips. getFeedback() .fips.DHPrivateKey Get the encoding of the key. getEncoded() .fips.crypto.provider.ibm.DHPublicKey Get the encoding of the key.fips.crypto.G generateKeyPair() .DESedeKey Returns the encoding format of this key getFormat() .crypto.fips.AESSecretKey Returns the algorithm of this key.crypto.fips.Method in interface com.Method in class com.ibm.Method in class com.crypto.ibm.fips. generateKeyPair() .crypto.ibm.provider.provider.DHPublicKey Returns the encoding format of this key: "X.IBMJCEFIPS Method returns the cryptographic modules FIPS 140-2 certification level getFipsLevel() .ibm.crypto.DHPrivateKey Returns the name of the algorithm associated with this key: "DH" getAlgorithm() .Method in class com.Method in class com.ibm.provider.provider.provider.provider.ibm.fips.Method in class com.FeedbackCipher Gets the name of the feedback mechanism getFipsLevel() .provider.provider.fips.ibm.DSAKeyPairGenerator Generates a key pair.crypto.provider.provider.ibm.provider.crypto.RSAPrivateCrtKey Returns the crtCoefficient.DHPublicKey Returns the name of the algorithm associated with this key: "DH" getCrtCoefficient() .fips. getAlgorithm() .provider.Method in class com.provider.ibm.crypto.Method in class com.crypto.Method in class com.AESSecretKey Returns the encoding format of this key getFormat() . getEncoded() .Method in class com.crypto.ibm.ibm.

Method in class com.fips.ibm.fips.ibm.crypto.RSAPrivateCrtKey Returns the primeP.RSAPrivateCrtKey Returns the primeExponentP. 2005 Page 28 of 39 .crypto.fips.provider.RSAPrivateCrtKey Return the modulus.Method in interface com.RSAPrivateCrtKey Returns the public exponent.ibm.ibm. getKey() .crypto.fips.Method in class com.provider.fips.fips. getModulus() .provider. getParams() . getModulus() .provider.provider.Method in class com. getParams() .Method in class com. getPublicExponent() .provider.crypto.ibm. getPrimeExponentQ() . getIdentity(String) . getPrimeQ() .fips.Method in class com.Method in class com. getParams() .IdentityDatabase Get an identity by key.RSAPublicKey © Copyright IBM Corp.RSAPrivateCrtKey Returns the primeQ.crypto. or null if the parameters could not be parsed.crypto.fips.DHPrivateKey Returns the key parameters.ibm.Method in class com.ibm.Method in class com.RSAPublicKey Return the modulus.crypto.Method in class com.Method in class com.fips.crypto.crypto.provider.provider.provider.provider.crypto.crypto.provider. getParams() .crypto.ibm.Method in class com.fips.fips.ibm.crypto.fips. getIV() .ibm.provider.provider.Method in class com.fips.Method in class com.Method in class com.provider.fips.fips. getModulus() .ibm. getPrimeP() .getIdentity(PublicKey) .crypto.ibm.DSAPublicKey Return the DSA parameters for the receiver.ibm.fips.DSAPrivateKey Returns the DSA parameters associated with this key.RSAPrivateKey Return the modulus.RSAPrivateCrtKey Returns the primeExponentQ.Method in class com.crypto.RSAPrivateCrtKey Return the private exponent.AESKeySpec Returns the AES key material.provider.provider. getPrimeExponentP() .RSAPrivateKey Return the private exponent.Method in class com.fips.crypto.IdentityDatabase Get an identity named by the passed in string.provider.Method in class com.crypto.fips. getPublicExponent() .FeedbackCipher Gets the initialization vector.Method in class com.crypto.ibm.ibm.crypto.ibm.ibm.provider. getPrivateExponent() .ibm.DHPublicKey Returns the key parameters.provider. getPrivateExponent() .ibm.fips.

provider.provider.fips.provider. hashCode() .Return the public exponent. This class generates a secret key for use with the HMAC-SHA1 algorithm.ibm.HmacSHA1KeyGenerator Verify the JCE framework in the constructor. -------------------------------------------------------------------------------H hashCode() .Method in class com.ibm.ibm.provider. getSelfTest() .fips.Method in class com.DHPrivateKey Calculates a hash code value for the object.ibm.provider.crypto.crypto.HmacSHA1 Standard constructor.fips.provider.fips.fips. 2005 Page 29 of 39 . getY() . getY() . Defines the "IBMJCEFIPS" provider.ibm.provider. HmacSHA1KeyGenerator .fips.crypto.provider.Method in class com.provider.crypto.crypto.ibm.HmacSHA1.Method in class com. HmacSHA1KeyGenerator() . HmacSHA1() .crypto.Method in class com.provider.fips.class com.SelfTest Method identifies any failures associated with the last self test getX() .ibm.ibm.Constructor for class com.Constructor for class com. y.crypto.Method in class com.fips.DHPublicKey Calculates a hash code value for the object.crypto.DSAPublicKey Return the value of the public key.crypto.fips.crypto.provider.provider. x.provider.provider. getX() .fips.ibm.crypto.fips.class com.fips.Method in class com.ibm. hashCode() .DESedeKey Calculates a hash code value for the object.Method in class com.ibm.crypto.ibm.IBMJCEFIPS The constructor for this class. HmacSHA1 .DHPublicKey Returns the public value.crypto. IBMJCEFIPS() .provider.Method in interface com.fips.Method in class com.crypto. This is an implementation of the HMAC-SHA1 algorithm.crypto.crypto.fips.provider.HmacSHA1KeyGenerator.Constructor for class com.fips.IdentityDatabase Enumerates all the identities in the database © Copyright IBM Corp.ibm.IBMJCEFIPS.provider.DSAPrivateKey Return the value of the private key.Method in class com.DHPrivateKey Returns the private value.ibm.ibm.ibm.class com.fips. identities() . creates a new HmacSHA1 instance.ModuleStatus Method returns a SelfTest object that can be used to getSelfTestFailure() .crypto.ibm. -------------------------------------------------------------------------------I IBMJCEFIPS .fips.IBMJCEFIPS Method returns a SelfTest object that can be used to getSelfTest() .

provider.ibm.IdentityDatabase . IdentityDatabase(File) .ibm.Constructor for class com.Method in class com.crypto.Method in class com.Method in class com.crypto.fips.Method in class com. empty database.crypto.fips.DHKeyPairGenerator Initializes this key pair generator for a certain keysize and source of randomness.SHA5 Initialize the SHA3 information initialize(AlgorithmParameterSpec.Constructor for class com. initialize(int) .ibm.fips.crypto.Method in class com. SecureRandom) .ibm.Method in class com.provider.Method in class com. © Copyright IBM Corp. empty database with a specified source file.crypto.crypto.ibm. SecureRandom) .SHA3 Initialize the SHA2 information init() .ibm. initialize(AlgorithmParameterSpec. init() .ibm.ibm.Method in class com. 2005 Page 30 of 39 . isFipsApproved() .provider. SecureRandom) .provider.fips.crypto.provider.ibm.ibm.RSAKeyPairGenerator Initializes this KeyPairGenerator for given modulus and random source initialize(int.crypto.provider.RSAKeyPairGenerator Initializes this key pair generator for a certain keysize.ibm.fips.Method in class com.provider.provider. An implementation of IdentityScope as a persistent identity database.crypto. and generate keys from the provided set of parameters.IdentityDatabase Construct a new.ibm.provider.class com.fips. SecureRandom) .IdentityDatabase Construct a new.ibm.ibm.MD5 Initialize the MD5 information init() .crypto.DSAKeyPairGenerator Initialize the receiver to use a given secure random generator.fips.SHA2 Initialize the SHA5 information init() .fips.provider.fips.fips. SecureRandom) .Method in class com.RSAKeyPairGenerator Initializes this key pair generator for the specified parameter set and source of randomness.DSAKeyPairGenerator Initialize the receiver to use a given secure random generator.crypto.crypto.Method in class com.DHKeyPairGenerator Initializes this key pair generator for the specified parameter set and source of randomness.fips.ibm.fips.fips.Method in class com.X509Factory This function allows an application to verify the algorithm is FIPS approved.crypto.Method in class com.fips. initialize(int. IdentityDatabase(String) . initialize(int.IdentityDatabase.SHA Initialize the SHA information init() .provider.provider.ibm.fips.crypto.fips. and generate keys of a certain size.provider.crypto.provider.provider. initialize(AlgorithmParameterSpec.provider.crypto. SecureRandom) .

fips.SHA This function allows an application to verify the algorithm is FIPS approved.crypto. isFipsApproved() . © Copyright IBM Corp.CipherWithWrappingSpi This function allows an application to verify the algorithm is FIPS approved.fips.fips.SHA1withDSA This function allows an application to verify the algorithm is FIPS approved.DHParameters This function allows an application to verify the algorithm is FIPS approved.ibm.ibm.ibm.provider.RSAKeyPairGenerator This function allows an application to verify the algorithm is FIPS approved. isFipsApproved() . isFipsApproved() .MD5 This function allows an application to verify the algorithm is FIPS approved.crypto. isFipsApproved() . isFipsApproved() .provider.AESParameters This function allows an application to verify the algorithm is FIPS approved.ibm.fips.crypto.crypto.provider.Method in class com.provider.fips.provider.fips.crypto. isFipsApproved() .provider.fips.crypto.Method in class com.provider.provider.provider.HmacSHA1KeyGenerator This function allows an application to verify the algorithm is FIPS approved. isFipsApproved() .SHA3 This function allows an application to verify the algorithm is FIPS approved.ibm.Method in class com.Method in class com.ibm.Method in class com.ibm.isFipsApproved() .ibm.DHKeyPairGenerator This function allows an application to verify the the algorithm is FIPS approved. isFipsApproved() .Method in class com.fips.provider. isFipsApproved() . isFipsApproved() . isFipsApproved() .crypto.ibm. isFipsApproved() .SHA2 This function allows an application to verify the algorithm is FIPS approved.Method in interface com.Method in class com.fips.fips.Method in class com.provider.fips.fips.Method in class com.Method in class com.crypto.ibm.Method in class com.Method in class com.ibm.fips.Method in class com.provider.DHKeyFactory This function allows an application to verify the the algorithm is FIPS approved.crypto.ibm.fips.provider.crypto. isFipsApproved() .ibm.provider.ibm.provider.ibm.provider.crypto.crypto.Method in class com.crypto. isFipsApproved() .crypto.DSAParameters This function allows an application to verify the algorithm is FIPS approved.ibm.fips.Method in class com. 2005 Page 31 of 39 .crypto. isFipsApproved() .ibm.crypto. isFipsApproved() .ibm.provider.AESKeySpec This function allows an application to verify the algorithm is FIPS approved.Method in class com.Method in class com.fips.fips.SHA5 This function allows an application to verify the algorithm is FIPS approved.crypto.crypto.AESKeyFactory This function allows an application to verify the algorithm is FIPS approved.fips.provider.AlgorithmStatus Module identifies if the cryptographic operation (algorithm) is FIPS certified isFipsApproved() .DHParameterGenerator This function allows an application to verify the algorithm is FIPS approved.

crypto. isFipsApproved() .Method in class com.ibm.fips.SHA1withRSA This function allows an application to verify the algorithm is FIPS approved.Method in class com.DESedeCipher This function allows an application to verify the algorithm is FIPS approved.fips. isFipsApproved() .SystemSigner This function allows an application to verify the algorithm is FIPS approved.fips. isFipsApproved() .fips.Method in class com.ibm.Method in class com.fips.provider.ibm.provider.fips.Method in class com.crypto. isFipsApproved() .provider.Method in class com.DSAKeyPairGenerator This function allows an application to verify the algorithm is FIPS approved.IdentityDatabase This function allows an application to verify the algorithm is FIPS approved.crypto.Method in class com.DESedeParameters This function allows an application to verify the algorithm is FIPS approved.Method in class com.crypto.crypto.fips. isFipsApproved() .ibm.Method in class com.DatawithDSA This function allows an application to verify the algorithm is FIPS approved. isFipsApproved() . 2005 Page 32 of 39 .provider.Method in class com.fips.provider.Method in class com.ibm.Method in class com. isFipsApproved() .ibm.provider. isFipsApproved() .ibm.fips.Method in class com. isFipsApproved() .crypto.crypto.crypto. isFipsApproved() .ibm.Method in class com. isFipsApproved() .crypto. isFipsApproved() .provider.provider.ibm.RSASSL This function allows an application to verify the algorithm is FIPS approved.SystemIdentity This function allows an application to verify the algorithm is FIPS approved.crypto.isFipsApproved() .ibm.ibm.RSAKeyFactory This function allows an application to verify the algorithm is FIPS approved.provider.crypto.ibm.crypto.crypto.provider. isFipsApproved() .Method in class com.provider. isFipsApproved() .DESedeKeyFactory This function allows an application to verify the algorithm is FIPS approved.DHKeyAgreement © Copyright IBM Corp.provider.SecureRandom This function allows an application to verify the algorithm is FIPS approved.provider.DESedeKeyGenerator This function allows an application to verify the algorithm is FIPS approved.crypto.Method in class com.fips.fips.Method in class com.Method in class com.provider.fips.ibm.provider.ibm.crypto.provider. isFipsApproved() .fips.provider.fips.AESCipher This function allows an application to verify the algorithm is FIPS approved.ibm.DSAKeyFactory This function allows an application to verify the algorithm is FIPS approved.ibm.fips.fips. isFipsApproved() .fips.fips.RSA This function allows an application to verify the algorithm is FIPS approved.crypto.crypto.provider. isFipsApproved() .crypto.DatawithRSA This function allows an application to verify the algorithm is FIPS approved.ibm.ibm.

crypto.provider.provider.ibm.This function allows an application to verify the algorithm is FIPS approved.provider.SelfTest Method identifies if the cryptographic module is FIPS 140-2 runable.AESKeyGenerator This function allows an application to verify the algorithm is FIPS approved.provider. allocates its buffers from the heap. 2005 Page 33 of 39 .Method in class com.ibm.Method in interface com.ModuleStatus Method identifies if the cryptographic module is FIPS 140-2 certified isFipsRunnable() .fips.provider.class com.provider.fips.Method in class com.ibm.crypto.HmacSHA1 This function allows an application to verify the algorithm is FIPS approved.crypto.crypto.interface com.ibm.IBMJCEFIPS Method identifies if the cryptographic module is FIPS 140-2 certified isFipsCertified() .ibm.crypto.Method in class com.provider.Method in class com.SelfTest Method identifies if a self test is currently in progress isTrusted() .crypto.provider.* facilities? isTrusted() . -------------------------------------------------------------------------------M MD5 .Method in class com.crypto. -------------------------------------------------------------------------------P pad(byte[].fips. Padding . in that the self test has completed with no failures.fips.fips.ibm.ibm.fips. isFipsApproved() .fips.Method in class com.interface com.ibm.fips.provider.Method in interface com.fips.ibm.provider. isSelfTestInProgress() .SystemIdentity Is this identity trusted by sun.fips. © Copyright IBM Corp.fips.fips.Padding Performs padding for the given data input.provider. isFipsApproved() . MD5() .MD5 Standard constructor. int) .crypto.Padding.crypto. creates a new MD5 instance.provider. padLength(int) .ibm.provider.MD5.crypto.crypto.ibm.ibm.fips.ModuleStatus.provider.fips. ModuleStatus . Padding interface. isFipsApproved() .Method in class com.Padding Determines how long the padding will be for a given input length.crypto.fips. int.DSAParameterGenerator This function allows an application to verify the algorithm is FIPS approved.crypto.Static method in class com.crypto.provider. The MD5 class is used to compute an MD5 message digest over a given buffer of bytes.ibm.ibm.Constructor for class com.SystemSigner Returns true if this signer is trusted.ibm. This class is for determining the FIPS certification of the cryptographic module. isFipsCertified() .crypto.Method in interface com.

class com.ibm.fips.class com.IdentityDatabase Removes an identity to the database.crypto.ibm.ibm.Padding Adds the given number of padding bytes to the data input. RSASSL() .ibm.RSAPrivateCrtKey. -------------------------------------------------------------------------------R removeIdentity(Identity) .ibm. reset() .provider. 2005 Page 34 of 39 .crypto.crypto.provider.crypto. RSA() . An X.ibm. RSAPrivateKey .Constructor for class com. This class implements the RSA algorithm.provider.ibm.fips.padWithLen(byte[]. RSAKeyFactory() .RSAKeyPairGenerator The constructor for this class. An X. This class implements the RSA key factory of the IBMJCE/IBMJCA provider.provider.fips.RSASSL.ibm.fips.crypto. This class uses the RSA class with blinding turned on.crypto.Method in class com.fips.class com.provider.class com. RSAPublicKey . int.RSAPublicKey.crypto. RSAKeyPairGenerator() . RSASSL .IBMJCEFIPS Returns an enumeration of the properties.fips.RSAKeyFactory.fips. propertyNames() .fips.provider.Constructor for class com.fips.crypto.RSAKeyPairGenerator.provider.fips. runSelfTest() . RSAKeyPairGenerator .509 private key for the RSA Algorithm. An X.crypto.Constructor for class com.provider.ibm.crypto.509 public key for the RSA Algorithm.crypto.509 private crt key for the RSA Algorithm.fips.provider.fips.provider.Constructor for class com.Method in class com.crypto.RSAKeyFactory The constructor for this class.Method in class com.ibm.provider.Method in interface com.crypto. This class generates RSA public/private key pairs.ibm.fips.ibm.class com.provider.provider.ibm.provider.ibm.ibm. RSA .SelfTest Method initiates a new self test -------------------------------------------------------------------------------S © Copyright IBM Corp.FeedbackCipher Resets the iv to its original value.class com.class com.Method in interface com.RSAPrivateKey.fips.RSA Creates an instance of RSA RSAKeyFactory .crypto.RSASSL Creates an instance of RSASSL.provider.crypto.crypto.fips.ibm. RSAPrivateCrtKey .fips.RSA. int) .provider.

fips.ibm.provider.SHA1withRSA Construct a blank RSA object.Method in class com.provider.class com.crypto. SHA1withDSA() .crypto. save(OutputStream) .fips.Constructor for class com.provider.fips.class com.class com.ibm.provider.SelfTest.SelfTest Constructs a new instance of this class.crypto.fips.provider.provider.SecureRandom Constructs a new instance of this class with a seed SelfTest .crypto.provider.crypto.ibm.SHA2 Standard constructor.fips.fips.ibm.fips.ibm.provider. SHA() .ibm.ibm.SHA2.crypto.Constructor for class com.crypto. © Copyright IBM Corp.fips.Method in class com.save() . SHA1withRSA .fips. This class tests the function of this cryptographic module. SecureRandom() .SHA3.crypto.crypto. SecureRandom .SHA.ibm.provider.class com.fips.crypto.provider.Constructor for class com.ibm.SHA1withDSA Constructs a new instance of this class.crypto. creates a new SHA instance.Constructor for class com.fips. SecureRandom(byte[]) . SHA1withDSA . 2005 Page 35 of 39 .provider.fips. This class implements signature using SHA1 with RSA SHA1withRSA() . allocates its buffers from the heap. SHA3 .provider.provider.fips.SHA Standard constructor.ibm.SHA1withRSA. SelfTest() .class com. This class implements the Secure Hash Algorithm 2 (SHA-256) developed by the National Institute of Standards and Technology along with the National Security Agency.Constructor for class com.Constructor for class com.ibm.ibm.ibm.SHA1withDSA.provider.provider.provider.crypto.crypto.crypto. SHA2() . This class implements the Secure Hash Algorithm (SHA) developed by the National Institute of Standards and Technology along with the National Security Agency. allocates its buffers from the heap. setTrusted(boolean) .SystemIdentity Set the trust status of this identity SHA .IdentityDatabase Saves the database to the default source file. SHA2 .class com.provider. This class provides a cryptographically strong pseudo-random number generator based on the SHA1 message digest algorithm.class com.SecureRandom Constructs a new instance of this class.fips.crypto.fips.Constructor for class com.fips.crypto.ibm.IdentityDatabase Save the database in its current state to an output stream.crypto.SecureRandom.ibm.fips. creates a new SHA2 instance.ibm.Method in class com.ibm. This class implements signature using SHA1 with DSA.

IdentityDatabase Returns the number of identities in the database SystemIdentity .class com.crypto. SystemSigner(String. human-readable description of the receiver. creates a new SHA3 instance.ibm.Constructor for class com.ibm.Method in class com. creates a new SHA5 instance.provider.crypto.fips.provider. This class creates a DESede cipher with default mode CBC with no Padding. SunSecurity signer. toString() .SHA1withDSA Answers a string containing a concise.fips.SystemIdentity.Method in class com.provider.Constructor for class com.crypto.SystemIdentity Constructor for this class. SystemSigner .fips.Constructor for class com. SystemSigner(String) . allocates its buffers from the heap.fips. SystemIdentity(String.class com.crypto.Method in class com. -------------------------------------------------------------------------------T TDCNP .crypto. toString() . human-readable description of the receiver.SHA5 Standard constructor.ibm.provider.TDCNP Creates an instance of DESede cipher with CBC mode and no Padding.ibm. SHA5() .class com.crypto.provider. An identity with a very simple trust mechanism.RSAPrivateCrtKey © Copyright IBM Corp. SHA5 . TDCNP() . IdentityScope) .provider.ibm.fips.crypto.provider.fips.ibm.provider.SystemSigner.Constructor for class com. size() .provider.fips. toString() .crypto.ibm.SHA5.Method in class com.crypto. human-readable description of the receiver. IdentityScope) .DatawithDSA Answers a string containing a concise. toString() .fips.crypto.This class implements the Secure Hash Algorithm 3 (SHA-384) developed by the National Institute of Standards and Technology along with the National Security Agency.ibm.ibm.crypto.fips.fips.ibm.ibm.class com.TDCNP.provider.SystemSigner Construct a signer with a name and a scope.RSAPrivateKey Answers a string containing a concise.crypto.fips.ibm. SHA3() .fips.fips.Method in class com.Constructor for class com. allocates its buffers from the heap.crypto.fips. This class implements the Secure Hash Algorithm 5 (SHA-512) developed by the National Institute of Standards and Technology along with the National Security Agency.fips. 2005 Page 36 of 39 .SHA3 Standard constructor.Constructor for class com.crypto.ibm.provider.provider.ibm.SystemSigner Construct a signer with a given name.crypto.provider.provider.provider.ibm.

fips.crypto. X509Factory() .Method in class com.ibm.ibm.fips.crypto. human-readable description of the receiver. int. human-readable description of the receiver.fips.ibm. -------------------------------------------------------------------------------- © Copyright IBM Corp. toString() .DSAPublicKey Answers a string containing a concise. toString() .provider.ibm. human-readable description of the receiver.crypto.provider.509 v2 certificate revocation lists (CRLs).ibm. toString() .ibm.DHPublicKey Answers a string containing a concise. toString() .provider.ibm.fips.IdentityDatabase Answers a string containing a concise.class com. toString() . -------------------------------------------------------------------------------X X509Factory .crypto. toString() .crypto.crypto.SystemIdentity Answers a string containing a concise.provider. -------------------------------------------------------------------------------U unpad(byte[]. int) . human-readable description of the receiver.crypto.provider.Padding Returns the index where padding starts.fips. human-readable description of the receiver. human-readable description of the receiver.Method in class com.ibm.Method in class com. 2005 Page 37 of 39 .X509Factory The constructor for this class.fips.crypto.crypto. human-readable description of the receiver.provider.crypto.Method in interface com. toString() .Method in class com.fips.ibm.fips.fips.Method in class com.DSAPrivateKey Returns a string containing a concise. human-readable description of the receiver.RSAPublicKey Answers a string containing a concise. This class defines a certificate factory for X.509 v3 certificates and X.provider.fips.Constructor for class com.X509Factory. human-readable description of the receiver.provider.ibm.fips.provider.Method in class com. toString() .provider.crypto.Method in class com.ibm.Answers a string containing a concise.Method in class com.provider.DHPrivateKey Answers a string containing a concise.SystemSigner Answers a string containing a concise.

crypto.provider.Method in class com.ibm.ibm.fips.provider.Method in class com.Method in class com.provider.fips. other countries.ibm.ibm.fips. z/OS.fips.provider.crypto.crypto. Inc.provider.crypto. AS/400 and IBM are trademarks or registered trademarks of IBM Corporation in the United States.Method in class com. other countries.ibm.Method in class com.fips.crypto.DSAPrivateKey This function zeroizes the key so that it isn't in memory Notices Java is a registered trademark of SUN. Linux is a registered trademark of Linus Torvalds.DHPrivateKey This function zeroizes the key so that it isn't in memory zeroize() .fips.crypto.RSAPrivateCrtKey This function zeroizes the key so that it isn't in memory zeroize() .Method in class com. Red Hat is a trademark of Red Hat.DHPublicKey This function zeroizes the key so that it isn't in memory zeroize() . Inc. or both.DESedeKey This function zeroizes the key so that it isn't in memory zeroize() .AESSecretKey This function zeroizes the key so that it isn't in memory zeroize() .fips. and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States.provider.provider.crypto.Method in class com. or both. Inc Microsoft.fips.crypto. 2005 Page 38 of 39 .ibm.Method in class com. AIX. UNIX is a registered trademark of The Open Group in the United States and other countries.ibm.crypto.provider.Method in class com.RSAPrivateKey This function zeroizes the key so that it isn't in memory zeroize() . Windows.provider. SuSE is a registered trademark of SuSE AG © Copyright IBM Corp.ibm.Z zeroize() .fips.RSAPublicKey This function zeroizes the key so that it isn't in memory.ibm.DSAPublicKey This function zeroizes the key so that it isn't in memory zeroize() . Windows NT. zeroize() . HP-UX is a registered trademark Hewlet Packard.

© 2004 International Business Machines Corporation. product. All rights reserved.Other company. © Copyright IBM Corp. 2005 Page 39 of 39 . This document may be freely reproduced and distributed in its entirety and without modification. and service names may be trademarks or service marks of others.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->