Drivers and FIPS 140-2

This section discusses FIPS 140-2 and how to configure and use the Milestone drivers to operate in FIPS 140-2-compliant mode.

Requirements for FIPS 140-2 compliant mode

The Milestone XProtect VMS device drivers can be FIPS 140-2 compliant because they can be configured and operate so that they use only FIPS 140-2 compliant algorithm instances. Only specific drivers in a specific configuration are FIPS 140-2 compliant. In this specific FIPS 140-2 configuration the driver will be able to communicate with devices in a compliant way. The devices must fulfill several requirements in order to be able to accept this communication. In addition, the FIPS Group Policy flag must be enabled in Windows on the server where the recording server is installed. When the FIPS Group Policy flag is enabled, the FIPS 140-2 capable drivers will operate in compliant mode and will not use non-approved cryptographic primitives. The drivers will use the algorithms used only for secured channels of communication.

Device requirements

For a device to be able to communicate with a driver running in FIPS 140-2 compliant mode it must fulfill all of these:

  • The device must support HTTPS communication with at least one FIPS 140-2 compliant cipher suite (for examples see Example of FIPS 140-2 compliant cipher suites)
  • The device must support RTSP over HTTPS (Tunneling RTSP and RTP over HTTP) using HTTP Basic Authentication (RFC2068 Section 11.1) or HTTP Digest Authentication (RFC2069, RFC7616)

    or

    The device must support media streaming using SRTP and RTSPS (RFC3711)

Supported drivers

Currently only a subset of drivers is FIPS 140-2 compliant. These drivers support communication through a secured channel for all available features.

Axis 1 channel Axis 1 channel PTZ Axis 2 channel Axis 3 channel
Axis 4 channel Axis 8 channel Axis 11 channel Axis 12 channel
Axis Audio Bosch PTZ Bosch 1 channel Bosch 2 channel
Bosch 3 channel Bosch 16 channel Bosch X20XF Bosch X40XF
Canon 1 channel Canon 1 channel PTZ Canon VBM Canon VBM 40
Canon VBS Canon VBS No Ptz Digital Barriers TVI Decoder Hanwha Generic
ONVIF ONVIF16 Universal Universal 16 channel
Universal 64 channel VideoPush    

The drivers in the table are capable of running in FIPS 140-2 compliant mode when configured properly. This list is not final and may expand in the future. Some drivers are FIPS 140-2 compliant with limited capabilities. Refer to specific driver sections below for information on how to configure them and any limitations.

FIPS 140-2 compliant mode for drivers is available since Device Pack 11.1.

Effects of running in FIPS 140-2 compliant mode

When operating in FIPS 140-2 compliant mode, some drivers will be unavailable for use. Drivers which are listed as FIPS 140-2 might not be able to connect to devices that do not fulfill the device requirements.

A driver is FIPS 140-2 compliant and the communication with the device is FIPS 140-2 compliant if the FIPS 140-2 capable driver:

If any of the requirements for FIPS 140-2 compliant mode are not fulfilled, then there is no guarantee about the FIPS 140-2 compliancy of the driver or the communication with the device.

How to configure the device and the driver for FIPS 140-2

The configuration of the device and driver for FIPS 140-2 compliant mode is device and driver specific. Some general guidelines apply:

  • The communication channels between the driver and the device must be secure and encrypted (HTTPS, RTSP over HTTPS, SRTP).
  • The device must be configured for operation using secure channels.
  • The driver and device must be configured to use secure channels for communication in XProtect VMS.

Axis drivers

Do the following:

  • Set HTTPS Enabled to Yes.
  • Set HTTPS Validate Certificate to Yes.
  • Set HTTPS Validate Hostname to Yes.

  • For every enabled media channel and media stream, set Streaming Mode to RTP/RTSP/HTTP/TCP.

Canon drivers

  • Set the HTTPS Enabled to Yes.

  • For every enabled media channel and media stream, set Streaming Mode to RTP/RTSP/HTTP/TCP.

Bosch drivers

Do the following:

  • Set HTTPS Enabled to Yes.
  • Set HTTPS Validate Certificate to Yes.
  • Set HTTPS Validate Hostname to Yes.

  • For every enabled media channel and media stream, set Streaming Mode to one of the following:
    • RTP/RTSP/HTTP/TCP
    • SRTP/RTSPS/UDP
    • SRT/RTSPS/UDP multicast

Hanwha drivers

  • Set the HTTPS Enabled to Yes.

  • For every enabled media channel and media stream, set Streaming Mode to HTTP streaming.

ONVIF drivers

Do the following:

  • Set HTTPS Enabled to Yes.
  • Set HTTPS Validate Certificate to Yes.
  • Set HTTPS Validate Hostname to Yes.

  • For every enabled media channel and media stream, set Streaming method to RTP/RTSP/HTTP/TCP.

  • The Audio backchannel (Audio Out, Device Speaker) must not be used when the driver is running in FIPS 140-2 compliant mode.

Universal drivers

Do the following:

  • Set HTTPS Enabled to Yes.
  • Set HTTPS Validate Certificate to Yes.
  • Set HTTPS Validate Hostname to Yes.

  • For every enabled media channel and media stream, set Streaming Mode to either RTP/RTSP/HTTP/TCP or HTTP, depending whether streaming or snapshot retrieval mode is used.

VideoPush driver

No specific configuration is needed. Enabling the FIPS Group Policy will force the driver to communicate with the XProtect Mobile serverin a FIPS 140-2 compliant way.

Example of FIPS 140-2 compliant cipher suites

0x1302 TLS_AES_256_GCM_SHA384
0x1303 TLS_CHACHA20_POLY1305_SHA256
0x1301 TLS_AES_128_GCM_SHA256
0xC02C TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
0xC030 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0x00A3 TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
0x009F TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
0xC02B TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xC02F TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0x00A2 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
0x009E TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
0xC024 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
0xC028 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
0x006B TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
0x006A TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
0xC023 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
0xC027 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0x0067 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
0x0040 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
0x00AD TLS_RSA_PSK_WITH_AES_256_GCM_SHA384
0x00AB TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
0x009D TLS_RSA_WITH_AES_256_GCM_SHA384
0x00A9 TLS_PSK_WITH_AES_256_GCM_SHA384
0x00AC TLS_RSA_PSK_WITH_AES_128_GCM_SHA256
0x00AA TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
0x009C TLS_RSA_WITH_AES_128_GCM_SHA256
0x00A8 TLS_PSK_WITH_AES_128_GCM_SHA256
0x003D TLS_RSA_WITH_AES_256_CBC_SHA256
0x003C TLS_RSA_WITH_AES_128_CBC_SHA256
0x0035 TLS_RSA_WITH_AES_256_CBC_SHA
0x002F TLS_RSA_WITH_AES_128_CBC_SHA

This list is not exhaustive. There are other cipher suites that are FIPS 140-2 compliant. This list is given only as a sample of cipher suites that are FIPS 140-2 compliant.