FIPSified!
FIPS? – You may have heard about MIPS or about ECLIPSE, but FIPS?
Granted, the U.S. “Federal Information Processing Standard” does not sound like the coolest thing to talk about on a sunny spring day. Yet, we are happy to have achieved SUSE’s first-ever FIPS 140-2 validation for OpenSSL last week. See:http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1930.pdf. The validation was conducted by Atsec, and certified by NIST (CMVP).
What does this mean to you? Does this also have relevance outside of the US?
The FIPS 140-2 standard “Security Requirements for cryptographic modules” defines eleven requirement areas in which a security module is described, tested, and validated against. And the tests confirm that the module behaves as defined and documented, if it runs in FIPS mode.
Thus, delivering a FIPS-validated version of OpenSSL, one of the fundamental security libraries in the Linux and Open Source world, gives both U.S. and global users an attestation that this library behaves in a well-defined way, if it runs in FIPS mode.
I said “if it runs in FIPS mode” twice: The FIPS 140-2 standard also describes a set of crypto algorithms which are in scope, and others that are not. OpenSSL by default delivers more crypto algorithms than are allowed by FIPS 140-2, thus we have to tell OpenSSL to limit itself.
There are three ways to achieve this:
1. Boot your system with the kernel command line option “fips=1”.
2. Set the environment variable OPENSSL_FORCE_FIPS_MODE to “1”.
3. Enable FIPS mode in your program which is linked to OpenSSL.
For more information, please carefully study
/usr/share/doc/packages/openssl/README-FIPS.txt
on your SUSE Linux Enterprise Server 11 SP2 (and upcoming SP3), before enabling FIPS mode.
You may wonder which applications on SUSE Linux Enterprise Server will automatically benefit from this, which applications you can run in a FIPS compliant mode, as they are linked to OpenSSL and can work properly with FIPS mode enabled. I would like to highlight three today:
- Apache Webserver
- PureFTPd FTP Server
- STunnel
While the use cases of Apache and PureFTPd are obvious, STunnel adds a nice multiplication factor to the question of FIPS enablement for secure communication: STunnel is a universal SSL Tunnel that allows you to transfer arbitrary IP-based protocols securely from one machine to another, without changing the original non-encryption-aware application(s). Obviously, by running STunnel in FIPS mode, this communication now can be claimed as FIPS compliant.
And there are more modules in SUSE Linux Enterprise Server that we are planning to submit for FIPS validation in the future.
One last caveat: running in a FIPS-compliant mode does not automatically make your systems more secure. Security depends on multiple factors, technical and human, and security is not a fixed state, but is a process. And this process requires regular review and diligent maintenance.
Sit back, relax, and eat your CHIPS!
Related Articles
Aug 20th, 2024
Full Disk Encryption with GRUB2 and TPM
Jul 11th, 2024
Comments
Hi,
We are trying to get our product FIP certified and for it tried the following:
I have read through your article and tried the first method of FIPsfying by setting the kernel parameter “fips=1” in file /boot/grub/menu.lst on a SLES 11.3 virtual machine.
But the box didn’t restart after the change, so I had to reboot it in failsafe mode and undo the kernel changes related to fips.
So can someone please help me to understand, if SELS 11.3 can be booted with FIPS flag?
Also it would be very helpful, if you point to any generic documentation that explains various aspects for certifying software for FIPS.