Distinctive Features

Concerning the CORE partition and key settings, the FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode introduces the following features related to crypto-processing.

FIPS Processing Policy

To allow using key material that is not yet certified by FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors, a CORE in FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode allows processing certain key material in a non-FIPS modeClosedUKC system advanced execution mode that hasn't yet received the FIPS certification. To control whether the generation of non-certified keys is allowed in partition, the Root SOClosedSecurity officer - UKC partition administrator role. assigns to each newly created partition a policy that applies to all keys in the partition.

The policy is permanent. It is indicated by the fips-req setting of the partition that specifies the following FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys policies:

Reference:

Key Generation in FIPS Mode

The specific processing mode (FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors or non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors) in a partition that allows both modes of crypto-processing is assigned to a key during its generation. The assignment is implicit (as described in FIPS Processing Policy ) and permanent.

To examine the assigned mode, use the key-show function, and examine the fips setting of the key:

Exportability in FIPS Mode

By default, keys generated or imported to CORE are non-exportable. However, in a partition that allows both FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors and non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode processing, if export of a key is allowed, the following changes might occur in its setting during its creation:

In particular:

  1. In a preferred partition, an RSA key is always processed in the FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys regardless of its export permissions. However, if it is specified as exportable, then the required export level is automatically raised to "wrapped with a trusted key".
  2. For a non-RSA key in a preferred partition, a key that is allowed to be exported
    - in plain or
    - without being wrapped by a trusted key
    is set to be processed in non-FIPSClosedFederal Information Processing Standards - standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors mode regardless of its compliance with the FIPS modeClosedUKC system mode that allows processing FIPS-certified and not-certified keys.