Skip to Content

FIPS 140-2 security certification for SAP NetWeaver’s new crypto lib

When in 2011 SAP acquired the secure login library from Secude AG it satisfied the requirement of many customers for secure communications without the need for third-party offerings. The software was integrated into the SAP standard with the first shipment being available mid of the same year. The next natural step is to go for another important customer request: the FIPS 140-2 certification of the now SAP owned crypto lib. The certification process has been started and SAP plans to receive the certificate by the end of this year.


Why FIPS 140-2?


When in the United States or Canada a government department wants to use crypto software in their computer systems this software needs to be tested and validated against the FIPS security standard. This standard contains security requirements regarding the design and implementation of cryptographic modules. Cryptographic modules are used to protect sensitive or valuable information and communication that is stored or processed in computer systems. Their goal is to keep the data confidential, ensure its integrity, and avoid unauthorized access. Needless to say that if the crypto software is poorly designed, or implemented, or if the used algorithms are weak the data may as well remain completely unprotected. In this case a hacker would easily be able to eavesdrop or tamper with the data to be protected.  

SAP is well aware of the advantages and the enhanced security provided by a FIPS certificate. Not only will the crypto software be thoroughly tested and evaluated by an indipendent third-party. Also a big market requirement coming from regulated industries and governmental agencies will be satisfied. These are the reasons why SAP has decided to have its crypto module which is part of the SAP NetWeaver Single Sign-On solution certified. The evaluation is planned to be finished by the end of this year.          

This certification project attests SAP’s commitment to adhere to internationally recognized security standards and complements the already received Common Criteria security certificates for SAP NetWeaver Java and ABAP.  

You can find more information about FIPS at the pages from the American National Institute of Standards and Technology (NIST):

Edit: The evaluation is planned to be finished in 2013.

You must be Logged on to comment or reply to a post.