Date: Sun, 14 Apr 2019 10:45:50 -0500 From: Benjamin Kaduk <kaduk@mit.edu> To: Paul Pathiakis <pathiaki2@yahoo.com> Cc: "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org>, FreeBSD Ports <ports@freebsd.org> Subject: Re: FIPS and NIST Message-ID: <20190414154550.GB10547@kduck.mit.edu> In-Reply-To: <1414670222.401877.1554810287647@mail.yahoo.com> References: <1414670222.401877.1554810287647.ref@mail.yahoo.com> <1414670222.401877.1554810287647@mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 09, 2019 at 11:44:47AM +0000, Paul Pathiakis via freebsd-arch wrote: > Hi, > I posted the following to freebsd-questions but was further directed here to see what can be done about this issue. > Basically, it involves making sure that the SSL library in use on the OS and any ports built with it, uses the OpenSSL fips-compliant module. The module is a 'blessed' certification module of OpenSSL that has had the MD5 and (???) less secure cryptographic algorithms removed. It goes through US/Canadian government certification process and ends up being 'blessed'. Without this certification, FreeBSD and all of its derivatives will be shut out of govt and govt contractor companies. The OpenSSL FIPS module 2.0 (https://wiki.openssl.org/index.php/FIPS_module_2.0) is very old and is only compatible with the (also very old) OpenSSL 1.0.2 release series. FreeBSD has already imported OpenSSL 1.1.1 into the base system and cannot (for API stability purposes) revert to the older version. AFAIK the three validation letters run by OpenSSL directly did not include FreeBSD as a validated OS, but of course that module could have been a starting point for "private label" validations that would be somewhat faster/cheaper than starting completely from scratch. > A LOT of information can be found out about this online especially at http://www.nist.gov. > There are standards of both physical hardware security and operating system security using the OpenSSL-FIPS-2.0 (soon to be 3.0 this year). 3.0 is on the roadmap for this year, with a very different design philosophy, but it's also very much a WIP and not even in a state to start building designs on top of. > On the physical side it must support the use of SEDs (self encrypting drives > I guess one of the initial undertakings would be to port the openssl FIPS module. Well, there's not really anything to port yet. Anyways, all the work is going to happen in the main OpenSSL git repository, on the same master branch as other development work, so the amount of porting involved would also be minimal. > > https://www.openssl.org/docs/fips.html > Another undertaking would be to allow a switch when building things that rely on SSL encryption in their configuration to choose 'OpenSSL FIPS'. > Now, the sad part. FIPS and NIST fly in the face of OSS philosophy and nimble movement. A FIPS certified module cannot be used if a bug is found in it. It's IMMEDIATELY blacklisted. All things built with it are no longer valid. You can't patch it, you can't outright fix it, etc. It then requires the new library to go through certification. This leads to chicken-egg.... you can't really expect to put everything on hold while a new module goes through the certification process which can take upwards of 18 mos. So, people either don't report it or wait until the new version is out to report it. (Hey, it's the gov't right?) You may be interested to read about https://csrc.nist.gov/Projects/Automated-Cryptographic-Validation-Testing (see also https://github.com/usnistgov/ACVP). > However, you can't be used by the gov't unless certified. All the big players, CISCO, IBM, DELL/EMC, VMware and RedHat (and CentOS) are all FIPS-compliant. > So, can this happen? (If it doesn't, all machines that are FreeBSD or variants in use in the gov't and in govt contractor companies, will be removed in an ever shrinking timeframe.) I note without further comment that https://www.openssl.org/blog/blog/2018/09/25/fips/ lists NetApp as a sponsor of the current OpenSSL effort. (Full disclosure: my employer (Akamai Technologies) is also listed.) -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190414154550.GB10547>