15

I am by far, no security expert but I experience on the subject working in Java (JCA,JCE and JSSE).
Anyway, recently there was a discussion about FIPS compliance.
I looked into this and SUN's libraries are not FIPS compliant per se.
Additionally, Bouncy Castle, which I use extensivelly, and as far as I know is considered as the best security library is not FIPS compliant either.
So my question is, how important is it, to provide an implementation that is strictly FIPS compliant?
As a simple example, in building a secure site should one explicitely state whether it is FIPS compliant or not?
Any input on this is very welcome.

Thank you.

AviD
  • 72,138
  • 22
  • 136
  • 218
Jim
  • 1,395
  • 4
  • 13
  • 18

4 Answers4

17

The most common reason that you need to be FIPS compliant is your company is required to by law or for other compliance reasons. FIPS compliant just means that your encryption has been validated by an authoritative body and there are no inherent flaws. There are also no discovered flaws in a lot of other encryption libraries like bouncycastle.

The reasoning behind FIPS vs no FIPS is no FIPS relies on the fact that no one has found a problem but doesn't really say if someone has looked before. FIPS is proven based on active testing and security standards.

In the end, it doesn't improve your overall security posture but it will make management feel better if it's FIPS.

Lizbeth
  • 757
  • 6
  • 14
  • I am not sure what you mean by saying "required by law".Is it related to the type of application. E.g. if building secure software for banking system, does the law expect to be FIPS compliant but if one builds a commercial web site, no one really cares about FIPS? – Jim May 26 '11 at 21:21
  • 3
    Yes - exactly. Can't speak for the banking industry - but there are laws and regulations in the US federal market. – bethlakshmi May 26 '11 at 21:31
14

For a software library, I would agree with @Lizbeth - FIPS 140-2 Level 1 is for software libraries like Bouncy Castle, Sun Java, and NSS (Java library this is FIPS certified). The difference is just that a FIPS compliant software library has been independently tested to meet a set of security requirements. Some industries have laws that require a certain level of security diligence and FIPS is one of the ways of mandating that.

When you get past software libraries, FIPS can matter a lot more because it speaks to a level of quality for high end features that get progressively more expensive and protective:

  • Level 1 - basic requirements - can be implemented in software or hardware
  • Level 2 - tamper evident coatings and role based authentication - this means that the hardware CAN be tampered with, but it'll be obvious. Can't be done in SW.
  • Level 3 - Prevents access to critical security parameters and provides for ID based authentication.
  • Level 4 - zeroizes when tampered with

There are products at all levels - usually you won't need Level 2 and beyond if you're talking about a fairly low risk web app. But for high risk applications, where compromise of the key material would be a huge deal - the increasing levels of FIPS 140-2 become the norm. I haven't been near the hardware security module product world for a while, but it used to be almost a requirement to enter the high security market - government or financial. If you're charging over $10,000 for your device, you want to prove that it'll do what you say it does.

bethlakshmi
  • 11,606
  • 1
  • 27
  • 58
  • Thanks for the info.I was wondering, since java is not FIPS-compliant out of the box,what is the usuall sw implementations?In .NET or something else? – Jim May 27 '11 at 06:13
  • 3
    The library I've always used is NSS - http://www.mozilla.org/projects/security/pki/nss/index.html. It's not the entire language that needs FIPS certification - it's specifically the crypto libraries - so you don't need to change to a different platform, just get a FIPS certified library. – bethlakshmi May 27 '11 at 14:12
  • Ah, ok!I have heard about NSS. What about IBM's implementation of java?From googling it seems it also FIPS compliant.Am I right? – Jim May 27 '11 at 20:35
  • 1
    Looks like it... just for clarity here - it is not "Java" that needs FIPS compliance - it's cryptographic libraries. In IBM's case, it's an implementation of JCE which means you should be able to swap it in pretty easily as a security provider in your existing implementation. As a point of reference, you can always check certifications with NIST here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm -- Line #1081 is the IBM JCE implementation. – bethlakshmi May 31 '11 at 14:09
9

FIPS compliance (or the European equivalents such as EAL levels) is a requirement in some markets or to achieve some legal properties; for instance, in France, time stamps are considered to be legal proofs (burden of proof lying on the party who claims the time stamp to be non-binding) only if the time stamp authority went through a certification process, in which it is required that a "certified" HSM (Hardware Security Module) is used to store and use the authority private key. If that was happening in the US instead of France, the "certified HSM" would be "a HSM which conforms to FIPS-140 level 4".

In private-owned areas (e.g. banking) requirements for certifications and/or FIPS 140 levels come from insurance companies: banks can get covered at insane-but-feasible rates because they can prove that they use strict security rules, and FIPS 140 levels are such rules. VISA and MasterCard are especially stringent about security (this is about money, thus it is important).

In more practical terms, FIPS 140 levels are obtained by demonstrating that some security characteristics are achieved (see the response from @bethlakshmi), which involves both hardware and software. Since, in general, correctness of software cannot be proven, the certification process involves showing that the system was developed with all due craftsmanship (unit test, code reviews, authenticated source code versioning, up to and including background checks on the developers themselves). This involves time, money (think 100k+ dollars), and an awful lot of paper. So the real, practical meaning of conformance to FIPS 140 is that someone spent a lot of time and money on the idea that the system is not blatantly insecure. This does not mean that the system is secure, but that at least there was some substantial effort and investment towards that goal.

Most opensource projects use a bazaar model which is efficient at producing good code fast, but is utterly incompatible with a certification process. Also, most opensource projects have no or very little funding. This explains why Bouncy Castle is not FIPS compliant, and even big companies such as Sun (now Oracle) have preferred not to run that process. There again, not being FIPS compliant does not mean "insecure" or even that the system could not be declared FIPS compliant, only that nobody found it worth the effort to go through the expensive administrative hoops of formal FIPS compliance.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
8

To add to the excellent previous answers by the previous posters, I'll go with an example.

OpenSSL exists in both a FIPS certified version and the regular one that isn't (well a subsystem is FIPS validated).

When a vulnerability is found in OpenSSL in an area that also affects the FIPS validated module, the fix is usually pushed very quickly in the regular OpenSSL distribution while the users of the FIPS version are actually left vulnerable until an updated version is certified.

This is a case of FIPS compliance (and the amount of paper pushing it implies) actively going against security.

Bruno Rohée
  • 5,221
  • 28
  • 39