Upload
michael-dawson
View
216
Download
0
Embed Size (px)
Citation preview
FIPS comes to Node.jsMichael Dawson, IBM
About Michael Dawson Loves the web and building software (with Node.js!)
Senior Software Developer @ IBMIBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , apiand post-mortem working groups
Contact me:
[email protected]: @mhdawson1https://www.linkedin.com/in/michael-dawson-6051282
1000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001013
Why do we care ?
Cryptography is an important Tool
Provides a way to evaluate modules
May be contract requirement !
100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101
Federal Information Processing Standard (FIPS)
– Publication 140-2
US government security standard for cryptographic modules
–Co-developed with Canadian CSE (Communications security
establishment)
Independent Labs do evaluation
4
What is it ?
https://en.wikipedia.org/wiki/FIPS_140-2
https://www.openssl.org/
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747
5
Node Leverages OpenSSL Validation
Security Policy (36 pages)
–https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
User Guide (221 pages)
–https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
Trusted Path Requirement
User Affirmation
6
Security Policy and User Guide
7
Integration
fipscanister.o
OpenSSL/libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {…
} else {// indicate error
}
Linux only so far
8
https://github.com/nodejs/node/blob/master/BUILDING.md
Just using FIPs capable Node.js is not enough
You have to use correctly
Demonstrate to ‘customer’ you did the right thing
It is, however, an enabler
9
Application compliance
May 2015 – discussion starts
–https://github.com/nodejs/node-v0.x-archive/issues/25463
Jun 2015 –PR 1890
Nov 2015 - Issue 3760
–PRs 3752, 3753, 3754, 3755,
3756, 3757, 3758, 3759
–Added to community CI
10
Community History
Dec 2015 - NPM cleanup
Feb 2016 - Command Line improvement
11
Community History
Command Line:
--enable-fips
--force-fips
API
–crypto.fips
OpenSSL Config file
12
New API and runtime options (v6.x)
[ evp_sect ]# Set to "yes" to enter FIPS mode if supportedfips_mode = yes
13
Validating you have the right version
14
Existing code may no Longer run
Certificates – only use FIPs algorithms
15
Certificate Generation
OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyouthttpd.key.pem -out httpd.crt.pem -days XXX
16
Try it out on Bluemix
cf set-envFIPS_MODE true
TM
17
18
Copyrights and Trademarks
© IBM Corporation 2016. All Rights Reserved
IBM, the IBM logo, ibm.com are trademarks or registered
trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally
related to or endorsed by the official Joyent Node.js open source or
commercial project.
Java, JavaScript and all Java-based trademarks and logos are trademarks or
registered trademarks of Oracle and/or its affiliates.