In some cases, CA ITCM makes use of security functions that are not allowed by the FIPS 140-2 publication. These do not impact the 'normal' operation of CA ITCM in the FIPS‑only mode.
When a software signature contains an "md5" attribute value for a <file> tag, the signature scanner uses a private implementation of MD5 code. The scanner checks whether the MD5 digest of any file found on the agent computer matches the "md5" attribute before it returns a positive result for that signature. MD5 is not used for any cryptographic purposes in the software signature scanner.
During CA ITCM installation, PKCS#12-based files can be used for certificate and key installation. These files are encrypted using a key derived in a password-based key derivation function (PBKD), such as PBKDF2 from the PKCS#5 v2.0 standard. During installation, these files are extracted and protected using non password-based techniques.
Note: Password-based key derivation (password based key establishment) is explicitly disallowed for the purposes of asymmetric key agreement as specified in section 7.1 of the FIPS 140-2 Implementation Guidance document.
|
Copyright © 2013 CA.
All rights reserved.
|
|