Java, Semeru Runtimes and Runtimes for Business

Author: @Reshma Joseph

Co-authored by: @Pasam Soujanya

When developing applications that handle sensitive data, ensuring robust security is crucial. Cryptographic algorithms play a key role in protecting data and securing communications. As a developer, understanding cryptographic standards helps you build secure applications that comply with regulations and withstand cyber threats.

One such standard is FIPS 140-3 (Federal Information Processing Standard 140-3). It ensures cryptographic operations like encryption, decryption, and digital signatures are performed securely.  

In this blog, we’ll break down FIPS 140-3 in a way that is easy for beginners to grasp. We will cover what FIPS is and why it matters; the common cryptographic operations used in FIPS; along with a guide on how to integrate FIPS in a Java application. 

What is FIPS 140-3? 
FIPS 140-3 is a security standard for cryptographic modules, published by the National Institute of Standards and Technology (NIST). It ensures that cryptographic operations — such as encryption, decryption, and digital signatures — are executed securely. 

Why is FIPS 140-3 important?
Here’s why developers should care about FIPS compliance: 
1. Govt compliance: If your software is used by the U.S. government or public sector, FIPS certification may be legally required. 
2. Data protection: FIPS modules undergo rigorous security testing to defend against various cyber threats. 
3. Trust and assurance: FIPS 140-3 certification is widely recognized and trusted within the cybersecurity industry, which can enhance the credibility of your product. 

Common Cryptographic Operations in FIPS 140-3 : 
Before integrating FIPS into your Java application, it’s essential to understand its key cryptographic operations: 

• Encryption — is the process of converting plain text into an unreadable format (cipher text) using a cryptographic algorithm and a key. The encrypted data can only be reverted to its original form by someone who possesses the correct decryption key. 
• Decryption — is the reverse process of encryption. It transforms cipher text back into its original plain text format using a decryption key. In FIPS 140-3, encryption and decryption processes must use approved algorithms. (Scroll down to see approved list of algorithms that support FIPS 140-3) 
• Digital Signatures — is an electronic, encrypted stamp of authentication on digital information such as messages. It ensures that the information originated from the signer and was not altered. Any change made to the signed data invalidates the whole signature. 
  FIPS 140-3 mandates using only approved algorithms for these operations. 
  

Enabling FIPS 140-3 in Java: A Guide Using OpenJCEPlusFIPS :
The landscape of cryptographic providers is constantly evolving, with new FIPS-certified options becoming available. In this tutorial, we’ll walk you through configuring FIPS 140-3 using the OpenJCEPlusFIPS provider, which is included in the IBM Semeru Runtimes. Keep in mind that the system and application requirements detailed below are tailored specifically for OpenJCEPlusFIPS.

It’s important to note that FIPS 140-3 is not enabled by default. You’ll need to make specific configurations at both the system and application levels to activate it. 

System Requirements 
Ensure the following requirements are met before enabling FIPS. 

1. Supported Operational environments: 
   FIPS 140-3 is supported on: 
   * AIX on 64-bit IBM POWER hardware 
   * Linux on x86-64 hardware 
   * Linux (Little Endian) on 64-bit IBM POWER hardware 
   * Windows on x86-64 hardware 
   
   
2. JDK version:
   Use a FIPS-certified JDK such as IBM Semeru Runtimes, with supported versions listed below. 
   * 11.0.24 
   * 17.0.12 
   * 21.0.4 or higher.
   
   
3. Cryptographic Module: 
   Use a FIPS 140-3 validated cryptographic provider like, the OpenJCEPlusFIPS (shipped with IBM Semeru Runtimes). 

 
 Note: The FIPS 140-3 security policy does not permit the use of the OpenJCEPlusFIPS provider on 32-bit operating systems. 
 
Java Application Configuration :
To enable FIPS 140-3 at the application level, pass the following system properties when running the application. 

-Dsemeru.fips=true -Dsemeru.customprofile=OpenJCEPlusFIPS.FIPS140-3 

How FIPS handles compliant/non-compliant algorithms 
For example, Blowfish is one of the cipher algorithms that is non-FIPS compliant. If your application uses instances of Blowfish, an exception is thrown when running application in FIPS mode. 

Cipher cipher = Cipher.getInstance("Blowfish")

In a non-FIPS environment no exception is thrown, and the cipher operations are performed. However, when running the application in FIPS 140-3 mode, it will throw the following exception: 
Exception in thread "main" java.security.NoSuchAlgorithmException: Cannot find any provider supporting Blowfish at  
java.base/javax.crypto.Cipher.getInstance(Cipher.java:565)

FIPS-Approved Algorithms :
When FIPS mode is enabled, only specific cryptographic algorithms are allowed. The table below shows the algorithms supported by the OpenJCEPlusFIPS provider. If you are using a different provider, make sure to check whether your algorithm is supported by that provider. 
 
Supported Algorithms in the OpenJCEPlusFIPS Provider 

  
Conclusion :
Integrating FIPS 140-3 in a Java application ensures strong encryption and regulatory compliance for handling sensitive data. By leveraging FIPS 140-3 supported cryptographic providers like OpenJCEPlusFIPS, developers can enable FIPS-approved cryptographic operations and enhance their application’s security.