Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE Crypto-J

24 Secure Operation of Crypto-C ME

RSA BSAFE Crypto-C Micro Edition 4.1 Security Policy

Level 1

3.3 Modes of Operation

The following table lists and describes the available mode filters to determine the

mode Crypto-C ME operates in and the algorithms allowed.

In each mode of operation, the complete set of services, which are listed in this

Security Policy, are available to both the Crypto Officer and Crypto User roles (with

the exception of

R_FIPS140_self_test_full(), which is always reserved for

the Crypto Officer).

Note: Cryptographic keys must not be shared between modes. For example, a

key generated FIPS 140-2 mode must not be shared with an application

running in a non-FIPS 140-2 mode.

Table 6 Crypto-C ME Mode Filters

Mode Description

R_MODE_FILTER_FIPS140

FIPS 140-2-approved.

Implements FIPS 140-2 mode and provides the cryptographic algorithms

listed in

Table 4 on page 18

. The default pseudo-random number

generator (PRNG) is CTR DRBG.

R_MODE_FILTER_FIPS140_SSL

FIPS 140-2-approved if used with

TLS protocol implementations.

Implements FIPS 140-2 SSL mode and provides the same algorithms as

R_LIB_CTX_MODE_FIPS140

, plus the MD5 message digest algorithm.

This mode can be used in the context of the key establishment phase in

the TLS 1.0 and TLS 1.1 protocol. For more information, see Section D.2,

“Acceptable Key Establishment Protocols,” in

Implementation Guidance

for FIPS PUB 140-2 and the Cryptographic Module Validation Program

The implementation guidance disallows the use of the SSv2 and SSv3

versions. Cipher suites including non-FIPS 140-2- approved algorithms

are unavailable.

This mode allows implementations of the TLS protocol to operate

Crypto-C ME in a FIPS 140-2-compliant manner with CTR DRBG as the

default PRNG.

R_MODE_FILTER_JCMVP

Not FIPS 140-2-approved.

Implements Japan Cryptographic Module Validation Program (JCMVP)

mode and provides the cryptographic algorithms approved by the

JCMVP.

R_MODE_FILTER_JCMVP_SSL

Not FIPS 140-2-approved.

Implements JCMVP SSL mode and provides the cryptographic

algorithms approved by the JCMVP, plus the MD5 message digest

algorithm.