Areas of non-compliance with FIPS

The following table displays processes used by the Clearswift Gateway that are currently non-compliant with

FIPS (Federal Information Processing Standards) is a set of standards developed by the United States Federal Government for use in computer systems. FIPS 140-2 is the subset of standards which defines approved encryption algorithms used for handling sensitive information.

Area	Description
Java Secure Socket Extension (JSSE)	Enables secure Internet communications.
Bouncy Castle	Cryptography Java library used for importing (and extracting information from) certificates.
SSH	Cryptographic protocol used for secure communication. Uses low level digest APIs and MD5 in password validation.
SNMP alerts	SNMP alerts are implemented using an SNMPv1 client. Community strings are passed in plaintext.
BATVBounce Address Tag Validation	Untagging uses an unapproved low level digest API.
Unacceptable Images	Image Classification Content Manager uses an MD5 checksum to determine whether images are acceptable.
PMM Mobile	Uses an unsupported mode of AES encryption (ECB).
PDFs	Decryption of PDF documents uses MD5.
BATV secret key obfuscation	MD5 is used to obfuscate the BATV secret key.
Replication between Gateways	The task for replicating commands and data between Gateways validates using MD5 hashes.
Peer status monitor	The Peer status task checks for peer status changes using MD5 hashes.
TRUSTManager reputation check	Checks requests and responses from an SMTP client using MD5 hashes.
User Interface Certificate Management	Generates MD5 hashes for certificate users.
Downloading Missing Manager lists	The infrastructure task for downloading lists uses an MD5 hash to check for changes.
LDAP Address List Service	Uses MD5 to verify downloaded files.
TRUSTManager reputation uploader	Uses an MD5 hash to communicate with TRUSTManager server alongside uploaded file.
Upgrade Service	Calculates MD5 hashes for downloaded files, in order to compare them with patch control files.
Downloading Managed Lists	Calculates MD5 hashes for comparison of downloaded files.
Kaspersky License Updater	Calculates MD5 hashes for comparison of downloaded files. The license updater task also uses unsupported mode of AES encryption (ECB).
Service Availability List downloader	Calculates MD5 hash for comparison of downloaded files.

Area

Description

Java Secure Socket Extension (JSSE)

Enables secure Internet communications.

Bouncy Castle

Cryptography Java library used for importing (and extracting information from) certificates.

SSH

Cryptographic protocol used for secure communication. Uses low level digest APIs and MD5 in password validation.

SNMP alerts

SNMP alerts are implemented using an SNMPv1 client. Community strings are passed in plaintext.

BATV

Bounce Address Tag Validation

Untagging uses an unapproved low level digest API.

Unacceptable Images

Image Classification Content Manager uses an MD5 checksum to determine whether images are acceptable.

PMM Mobile

Uses an unsupported mode of AES encryption (ECB).

PDFs

Decryption of PDF documents uses MD5.

BATV secret key obfuscation

MD5 is used to obfuscate the BATV secret key.

Replication between Gateways

The task for replicating commands and data between Gateways validates using MD5 hashes.

Peer status monitor

The Peer status task checks for peer status changes using MD5 hashes.

TRUSTManager reputation check

Checks requests and responses from an SMTP client using MD5 hashes.

User Interface Certificate Management

Generates MD5 hashes for certificate users.

Downloading Missing Manager lists

The infrastructure task for downloading lists uses an MD5 hash to check for changes.

LDAP Address List Service

Uses MD5 to verify downloaded files.

TRUSTManager reputation uploader

Uses an MD5 hash to communicate with TRUSTManager server alongside uploaded file.

Upgrade Service

Calculates MD5 hashes for downloaded files, in order to compare them with patch control files.

Downloading Managed Lists

Calculates MD5 hashes for comparison of downloaded files.

Kaspersky License Updater

Calculates MD5 hashes for comparison of downloaded files. The license updater task also uses unsupported mode of AES encryption (ECB).

Service Availability List downloader

Calculates MD5 hash for comparison of downloaded files.

Areas of non-compliance with FIPS

See also...