Skip to Content
Author's profile photo Annette Fuchs

Update on SAP’s FIPS 140-2 certification for SAP’s crypto kernel

All tests passed. SAP has taken the first hurdle on her way to receiving the FIPS 140-2 certificate for the crypto kernel of the secure login library of SAP SSO 2.0. The test results and reports are now being reviewed by the Crypto Module Validation Program (CMVP) at the American National Institute of Standards and
Technology (NIST) under submission ID TID-09-0008-3076. You may follow up on the progress of the reviewing process at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

Related articles and blogs:

SAP Insider article “Is Your Data Properly Protected?” 

Blog FIPS 140-2 certification for SAP’s crypto kernel


SAP received FIPS 140-2 certificate for the crypto kernel of the SAP SS0 2.0 secure login library!

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo SUMESH KUNNATHUPARAMBIL
      SUMESH KUNNATHUPARAMBIL

      Hi Annette,

      Thanks for the update and would be great to have FIPS 140-2 compliance by this year. However, will this FIPS 140-2 compliance SAP cryptolibrary be available on AS JAVA as well as AS ABAP stack.

      Thanks,

      Sumesh K.

      Author's profile photo Annette Fuchs
      Annette Fuchs
      Blog Post Author

      Hi Sumesh,

      It depends on your scenario. Whenever you use the Secure Login Library you can use the FIPS compliant lib. In case you have a pure Java environment you most likely will use the IAIK tool which is a third party product. I have no information whether the IAIK tool is or is planed to become FIPS compliant.

      Regards,

      Annette

      Author's profile photo SUMESH KUNNATHUPARAMBIL
      SUMESH KUNNATHUPARAMBIL

      Hi Annette,

      Thank you for the immediate response and precise explanation. The scenario we are currently working on is to send payments from SAP to a Bank system which requires FIPS 140-2 compliance.

      We were considering to use 3rd party FIPS products with SAP PI but seeing your blog we thought we could use the new SAP Cryptolibrary.

      One last query though. Can I install this Cryptolibrary on ABAP stack of SAP PI. If yes, then we can use ABAP mapping to sign payloads using SSF? Thus achieving FIPS 140-2 compliance standard out of the box on PI?

      Kind Regards,

      Sumesh K.

      Author's profile photo Annette Fuchs
      Annette Fuchs
      Blog Post Author

      Hi Sumesh,

      You can use the crypto lib on any ABAP stack. Your scenario looks valid to me.

      Best regards,

      Annette

      Author's profile photo SUMESH KUNNATHUPARAMBIL
      SUMESH KUNNATHUPARAMBIL

      Hi Annette,

      Thank you for confirming and replying.

      We will use the SAP crypto library but will Go Live only when FIPS 140-2 compliance is achieved.

      I hope we will get it by this year end.

      Kind Regards,

      Sumesh K.

      Author's profile photo Former Member
      Former Member

      Hi Annette:

      There are 4 security level in FIPS 140-2, would you please clarify which security level that SAP crypto library has reached?

      Thanks,

      Hailin

      Author's profile photo Annette Fuchs
      Annette Fuchs
      Blog Post Author

      Hi Hailin:

      We opted for security level 1 which covers basic security requirements. Levels 2 to 4 include physical security requirements like pick-resistant locks, cirquit protection, environmental threats, etc. Our crypto kernel is a pure software product. We do not have any influence on the physical environment at the customer's site. Therefore, it does not make sense for us to strive for a higher level.

      Regards,

      Annette