22
Secure Operation of Crypto-J
RSA BSAFE Crypto-J 4.1 Security Policy
Cryptographic algorithms can be created in different modes using the
com.rsa.jsafe.crypto.FIPS140Context class for the JSFE API. For more
information about operating in FIPS 140 mode, see the RSA BSAFE Crypto-J 4.1
Developers Guide.
3.6 Startup Self Tests
Crypto-J offers the ability to configure when KATs are executed. To operate the
Crypto-J module in a FIPS 140-2 mode, set the
com.rsa.cryptoj.kat.strategy property to on.load. For the correct
configuration settings, see the RSA BSAFE Crypto-J 4.1 Installation Guide.
The strategy property is read once only, on start-up, and any subsequent changes to the
KAT strategy property are ignored.
With the KAT strategy set to on.load, all KATs are executed on toolkit start-up, which
occurs on first use. If any KAT fails, the toolkit is disabled.
3.7 Random Number Generator
Crypto-J provides a default RNG. This default RNG can be set to one of the FIPS-140
approved RNG, (ECDRBG, HMACDRBG, FIPS186-2 RNG) using the property
com.rsa.crypto.default.random. For the correct configuration settings, see
the RSA BSAFE Crypto-J 4.1 Developer's Guide.
If the property is not set, the default RNG used is Dual ECDRBG.
Users in FIPS 140-2 mode can select either the FIPS 186-2, ECDRBG or HMAC
DRBG when creating a RNG object and setting this object against the operation
requiring random number generation (for example key generation).
Users in non-FIPS 140-2 mode can use any RNG and set it against the operation
requiring random number generation.
For more information on each function, see the RSA BSAFE Crypto-J 4.1 Developer's
Guide