FIPS and NIST

Paul Pathiakis pathiaki2 at yahoo.com
Tue Apr 9 11:44:56 UTC 2019 

Hi,
I posted the following to freebsd-questions but was further directed here to see what can be done about this issue.
Basically, it involves making sure that the SSL library in use on the OS and any ports built with it, uses the OpenSSL fips-compliant module.  The module is a 'blessed' certification module of OpenSSL that has had the MD5 and (???) less secure cryptographic algorithms removed.  It goes through US/Canadian government certification process and ends up being 'blessed'.  Without this certification, FreeBSD and all of its derivatives will be shut out of govt and govt contractor companies.
A LOT of information can be found out about this online especially at http://www.nist.gov.
There are standards of both physical hardware security and operating system security using the OpenSSL-FIPS-2.0  (soon to be 3.0 this year).
On the physical side it must support the use of SEDs (self encrypting drives
I guess one of the initial undertakings would be to port the openssl FIPS module.  

https://www.openssl.org/docs/fips.html
Another undertaking would be to allow a switch when building things that rely on SSL encryption in their configuration to choose 'OpenSSL FIPS'.
Now, the sad part.  FIPS and NIST fly in the face of OSS philosophy and nimble movement.  A FIPS certified module cannot be used if a bug is found in it.  It's IMMEDIATELY blacklisted.  All things built with it are no longer valid.  You can't patch it, you can't outright fix it, etc.  It then requires the new library to go through certification.  This leads to chicken-egg.... you can't really expect to put everything on hold while a new module goes through the certification process which can take upwards of 18 mos.  So, people either don't report it or wait until the new version is out to report it.  (Hey, it's the gov't right?)
However, you can't be used by the gov't unless certified.  All the big players, CISCO, IBM, DELL/EMC, VMware and RedHat (and CentOS) are all FIPS-compliant.
So, can this happen?  (If it doesn't, all machines that are FreeBSD or variants in use in the gov't and in govt contractor companies, will be removed in an ever shrinking timeframe.)
Paul P.

More information about the freebsd-arch mailing list