MOVEit DMZ Server MOVEit Central MOVEit Clients WS_FTP Server Web Transfer Module WS_FTP Client-Server Solution WS_FTP Professional WS_FTP Home WS_FTP Professional SDK

FIPS 140-2 is a standard first published in 2001 by the U. S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U. S. Department of Commerce.

Helpful Information about FIPS 140-2 Validation and Ipswitch’s FIPS-Validated Solutions

What is FIPS 140-2 Validation?

FIPS 140-2 is a standard first published in 2001 by the U. S. National Institute of Standards and Technology (NIST), a non-regulatory agency of the U. S. Department of Commerce. NIST works to establish various standards that the U.S. military and various government agencies must abide by. Vendors, contractors, and any organization working with government or military must comply with FIPS as well.

Why is FIPS Validation Important?

Many solutions claim to be “FIPS compliant.” This phrase is simply a claim that the solution aligns with FIPS requirements. However, to truly comply with FIPS, a solution needs to be FIPS validated. FIPS validation involves submitting detailed documentation and source code to NIST’s testing laboratories – a process that takes six to nine months on average. Consequently, creating FIPS-validated solutions not only involves using approved algorithms, but also providing software that is well documented, well engineered, and is easily testable.

What Types of Organizations Require FIPS?

Federal and state government agencies that deal with citizens’ private information are frequently required to abide by FIPS. Also, the military and its vendors must also comply to protect sensitive national-security information. Other examples typically include organizations that require high levels of privacy, including financial institutions, information-processing vendors, healthcare-related vendors, educational institutions, and utilities.

However, the FIPS standard is still relevant to companies that may not be required to comply with government encryption regulations. The FIPS standard is appropriate for just about any organization that wishes to transfer files securely, safeguard business data, and protect its most critical information.

FIPS-Certified Protocols and Ciphers

As part of its FIPS solution, Ipswitch’s WS_FTP FIPS Mode supports Triple DES, 256-bit AES, SHA 1, SHA 256, and SHA 512 for encryption, and HMAC SHA 1 for message authentication.

Ipswitch’s MOVEit FIPS Mode supports 256-bit AES, SHA 1 for encryption, and HMAC SHA 1 for message authentication.

The following explains our FIPS solutions’ algorithms, FIPS certificates, and transport details.

Algorithms and Certificates

MOVEit DMZ and MOVEit Central are certified by FIPS 140-2 under certificate 310. WS_FTP Server is certified by FIPS 140-2, certificate 918 (under Open SSL).

The certificates for specific algorithms are as follows:

Algorithm Name	Standard	Ipswitch Application	NIST Certificate
Triple DES	SP800-67	WS_FTP Server	613
256-bit AES	FIPS 197	WS_FTP Server	668
256-bit AES	FIPS 197	MOVEit	30
SHA 1	FIPS 186-2	WS_FTP Server	352
SHA 1	FIPS 186-2	MOVEit	124
SHA 256 SHA 512	FIPS 186-2	WS_FTP Server	352
HMAC SHA 1	FIPS 198	WS_FTP Server	352
HMAC SHA 1	FIPS 198	MOVEit	124

Transport and Other Details

Ipswitch File Transfer’s Solutions

WS_FTP Server family

Using OpenSSL FIPS (an open source project sponsored by Hewlett Packard, the DoD Military Health System, and the Open-Source Software Institute), WS_FTP Server’s FIPS module supports AES (up to 256-bit), Triple DES, and HMAC SHA-1 encrypted transfer.

WS_FTP Server’s encryption transfer, integrity checking (FTP, HTTP, and HTTPS), HTTPS transport, FTP commands, and data-stream encryption are all validated under the FIPS-validated module. These all use AES encryption for transaction privacy and HMAC SHA 1 for data-integrity checking. WS_FTP’s solution is validated by FIPS certificate 918, with specific protocols validated by 613, 668, 701, and 352 (under the OSSI’s Open SSL).

MOVEit product family

MOVEit DMZ and MOVEit Central application both use FIPS-validated AES and SHA-1 for encryption. MOVEit’s validation falls under 140-2 certificate 310, with specific protocols validated by certificates 30 and 124. (Incidentally, all certificates mentioned here are recognized both in the US and Canada.)

MOVEit DMZ

MOVEit DMZ uses FIPS-validated modules for file encryption, HTTP and HTTPS, FTP integrity checking, and encryption of sensitive database fields. Together with a FIPS-validated Windows operating system, MOVEit DMZ also uses a FIPS-validated encryption for HTTPS transport, FTP commands, and data-stream encryption.

MOVEit Central

MOVEit Central also uses FIPS-validated encryption for encryption of configuration files, and for HTTP, HTTPS, and FTP integrity checking (which uses both a MOVEit proprietary integrity check as well as a standard XSHA1). With a FIPS-validated Windows operating system, MOVEit Central is also FIPS-validated for HTTPS transport encryption, FTP command, and data stream encryption.