SFTP FIPS

  • Before upgrading, export and convert your SFTP keys. The new version only creates RSA keys in OpenSSH new format. (You can't generate DSS keys and save keys in SSH.com format.)

  • After upgrading, older ciphers and MACs will be removed automatically, without requiring any manual reconfiguration.

  • Private keys from previous versions:

    • Non-FIPS mode

      • The private keys generated by previous versions should load just fine in non-FIPS mode. Both RSA and DSA and SSH.com formats are supported.

    • FIPS mode

      • FIPS mode does not support md5—only the new format keys are supported. The keys themselves are fine, it is the file format that is not supported. As a workaround, you can use a third-party tool like PuTTYGen to convert your keys to the OpenSSH new format. If later you decide to go back to the older SFTP FIPS library, the new keys will not work and you will either have to use the previous keys or convert the new keys to the old format.

  • After you enable or disable FIPS mode, you must restart the EFT server service.

EFT SFTP FIPS Mode

When placed in FIPS mode, all cryptographic functions required by the SFTP transport protocol are managed by the OpenSSL cryptographic library, which is FIPS certified and thus meets the requirements of organizations that require all cryptographic functions be FIPS certified. While many vendors claim compliance status, it is not the same as "certified," which means the module has undergone third-party laboratory testing. At a functional level, SFTP transport in EFT is based on a Windows port of a modified version of OpenSSH. Modifications were necessary because OpenSSH itself isn’t a library, but rather a product. Also, many of the functions of OpenSSH aren’t relevant to SFTP, such as command-line parsing, X-11 forwarding, and many others. Finally, OpenSSH doesn’t support FIPS mode, and had to be modified following the principles applied by the Fedora FIPS patch that enables OpenSSH implementations on Fedora Linux to use OpenSSL in FIPS mode. When OpenSSH releases new versions, any beneficial changes (performance, security, etc.) can be merged into the SSH implementation in EFT.

Within the OpenSSH code, there are absolutely no cryptographic functions. All crypto is relegated to OpenSSL. In our implementation, OpenSSL consists of several libraries: SslEay.dll, which handles SSL network protocols, key pair loading and unloading, etc., LibEay.dll, which manages all cryptography and is FIPS certified, and SSLFIPS.dll, which acts as layer between EFT and OpenSSL. SSLFIPS.dll also does some key and network management, sans cryptography. OpenSSL is thus used both by SFTP and SSL/TLS-based protocols (e.g. HTTPS, FTPS) in EFT. A further benefit of this new module is that the FIPS-certified cryptographic module is not tied to any particular OpenSSL version, which gives Globalscape the ability to keep current with OpenSSL releases, while conserving its FIPS-certified cryptographic functions, so long as the NIST certification remains current and valid.

SFTP Logging

For Successful Connections:

For Failed Connections:

For Insecure Connections:

For Weak Connections:

Ciphers and Algorithms

COM

Legacy BitVise implementation

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\GlobalSCAPE Inc.\EFT Server 7.4