Algorithms, cipher suites, and protocols for securing the appliance

NOTE:

FIPS 140-2 and CNSA applies only to a VM appliance managing non-c7000 hardware.

HPE OneView offers options to configure management appliances to be compliant with the Federal Information Processing Standard FIPS-140-2 (FIPS 140-2) and Commercial National Security Algorithm (CNSA) standards or to continue using the legacy cryptography mode. In the FIPS 140-2 and CNSA modes, the appliance restricts protocol versions, cipher suites, and digital certificate strength to FIPS 140-2 and CNSA-compliant ones, respectively.

About cryptography mode settings provides details.

NOTE:

Turning on FIPS may disable old APIs that are incompatible with the heightened security mode.

The CNSA-compliant cipher suites are a subset of the FIPS-compliant cipher suites that meet the more stringent security requirements of the CNSA specifications.

HPE OneView uses the following FIPS 140-2-validated modules for cryptographic operations:
  • Hewlett Packard Enterprise SSL Cryptographic Module (Certificate number 3018)

  • Hewlett Packard Enterprise NSS Cryptographic Module (Certificate number 2908)

  • Hewlett Packard Enterprise Libgcrypt Cryptographic Module (Certificate number 2915)

  • Hewlett Packard Enterprise Java Cryptographic Module (Certificate number 3138)

HPE OneView uses the following communication protocols and services that rely on the FIPS-validated cryptographic modules:
  • Transport Layer Security (TLS) communication
    • OpenSSL, Apache, and Curl: Uses underlying FIPS 140-2-validated OpenSSL Cryptographic Module

    • Java: Uses underlying FIPS 140-2-validated Java Cryptographic Module

    • RabbitMQ: Uses underlying FIPS 140-2-validated OpenSSL Cryptographic Module

    • Firefox: Uses underlying FIPS 140-2-validated NSS Cryptographic Module

    • Digital signature algorithms: Uses underlying FIPS 140-2-validated OpenSSL and Java Cryptographic Modules

    • Public key algorithms: Uses underlying FIPS 140-2-validated OpenSSL and Java Cryptographic Modules

  • SNMP communication:
    • Server management: Uses SNMP4J libraries for SNMP communications. SNMP4J uses standard JCE hashing and encryption algorithms provided by the FIPS 140-2-validated Java Cryptography Extension (JCE).

    • Interconnect management: Uses underlying FIPS-140-2-validated OpenSSL Cryptographic Module

  • SSH communication
    • OpenSSH: Uses underlying FIPS 140-2 validated OpenSSL Cryptographic Module

  • RPM signature validation: Uses underlying FIPS 140-2-validated Libgcrypt Cryptographic Module

A cipher suite is a set of algorithms that help secure a network connection that uses TLS for communication. The set of algorithms that cipher suites usually contain include: a key exchange algorithm, a bulk encryption algorithm, and a Message Authentication Code (MAC) algorithm.

This unit covers the following:

NOTE:

The cipher suites used in the FIPS 140-2 mode are a subset of the cipher suites used in the legacy mode that comply with the security strength requirements of the FIPS 140-2 mode. And, the cipher suites used in the CNSA mode are a subset of the FIPS 140-2 mode cipher suites that comply with the more stringent security requirements of the CNSA mode. HPE OneView gives preference to stronger protocols and cipher suites even in the legacy mode. However, depending on the protocol and cipher suite supported by the device, server or browser, the appliance allows communication with a lower strength protocol or cipher suite in the legacy mode.

Listed here are some of the common cryptographic algorithms and the functions they perform:
Algorithm Function
Advanced Encryption Standard (AES) Symmetric block cipher to protect information
Elliptic Curve Diffie Hellman (ECDH) Key Exchange Asymmetric algorithm to establish keys
Elliptic Curve Digital Signature Algorithm (ECDSA) Asymmetric algorithm to verify digital signatures
Diffie-Hellman (DH) Key Exchange Asymmetric algorithm to establish keys
RSA Asymmetric algorithm to establish keys and digital signatures
Secure Hash Algorithm (SHA) Algorithm to compute a condensed representation of information