Update on SAP’s FIPS 140-2 certification for SAP’s crypto kernel
All tests passed. SAP has taken the first hurdle on her way to receiving the FIPS 140-2 certificate for the crypto kernel of the secure login library of SAP SSO 2.0. The test results and reports are now being reviewed by the Crypto Module Validation Program (CMVP) at the American National Institute of Standards and
Technology (NIST) under submission ID TID-09-0008-3076. You may follow up on the progress of the reviewing process at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.
Related articles and blogs:
SAP Insider article “Is Your Data Properly Protected?”
Blog FIPS 140-2 certification for SAP’s crypto kernel
SAP received FIPS 140-2 certificate for the crypto kernel of the SAP SS0 2.0 secure login library!
Thanks for the update and would be great to have FIPS 140-2 compliance by this year. However, will this FIPS 140-2 compliance SAP cryptolibrary be available on AS JAVA as well as AS ABAP stack.
It depends on your scenario. Whenever you use the Secure Login Library you can use the FIPS compliant lib. In case you have a pure Java environment you most likely will use the IAIK tool which is a third party product. I have no information whether the IAIK tool is or is planed to become FIPS compliant.
Thank you for the immediate response and precise explanation. The scenario we are currently working on is to send payments from SAP to a Bank system which requires FIPS 140-2 compliance.
We were considering to use 3rd party FIPS products with SAP PI but seeing your blog we thought we could use the new SAP Cryptolibrary.
One last query though. Can I install this Cryptolibrary on ABAP stack of SAP PI. If yes, then we can use ABAP mapping to sign payloads using SSF? Thus achieving FIPS 140-2 compliance standard out of the box on PI?
You can use the crypto lib on any ABAP stack. Your scenario looks valid to me.
Thank you for confirming and replying.
We will use the SAP crypto library but will Go Live only when FIPS 140-2 compliance is achieved.
I hope we will get it by this year end.
There are 4 security level in FIPS 140-2, would you please clarify which security level that SAP crypto library has reached?
We opted for security level 1 which covers basic security requirements. Levels 2 to 4 include physical security requirements like pick-resistant locks, cirquit protection, environmental threats, etc. Our crypto kernel is a pure software product. We do not have any influence on the physical environment at the customer's site. Therefore, it does not make sense for us to strive for a higher level.