FIPS comes to Node.jsMichael Dawson, IBM

About Michael Dawson Loves the web and building software (with Node.js!)

Senior Software Developer @ IBMIBM Runtime Technologies Node.js Technical Lead

Node.js collaborator and CTC member

Active in LTS, build, benchmarking , apiand post-mortem working groups

Contact me:

michael_dawson@ca.ibm.comTwitter: @mhdawson1https://www.linkedin.com/in/michael-dawson-6051282

1000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001011000110101010010010101010101010101010101010000111000101101001013

Why do we care ?

Cryptography is an important Tool

Provides a way to evaluate modules

May be contract requirement !

100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101100011010101001001010101010101010101010101000011100010110100101

Federal Information Processing Standard (FIPS)

– Publication 140-2

US government security standard for cryptographic modules

–Co-developed with Canadian CSE (Communications security

establishment)

Independent Labs do evaluation

4

What is it ?

https://en.wikipedia.org/wiki/FIPS_140-2

https://www.openssl.org/

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-

all.htm#1747

5

Node Leverages OpenSSL Validation

Security Policy (36 pages)

–https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf

User Guide (221 pages)

–https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

Trusted Path Requirement

User Affirmation

6

Security Policy and User Guide

7

Integration

fipscanister.o

OpenSSL/libcrypto.a

$(OPENSSLDIR)/fips/fipsld –o ….

If (FIPS_mode_set(1)) {…

} else {// indicate error

}

Linux only so far

8

https://github.com/nodejs/node/blob/master/BUILDING.md

Just using FIPs capable Node.js is not enough

You have to use correctly

Demonstrate to ‘customer’ you did the right thing

It is, however, an enabler

9

Application compliance

May 2015 – discussion starts

–https://github.com/nodejs/node-v0.x-archive/issues/25463

Jun 2015 –PR 1890

Nov 2015 - Issue 3760

–PRs 3752, 3753, 3754, 3755,

3756, 3757, 3758, 3759

–Added to community CI

10

Community History

Dec 2015 - NPM cleanup

Feb 2016 - Command Line improvement

11

Community History

Command Line:

--enable-fips

--force-fips

API

–crypto.fips

OpenSSL Config file

12

New API and runtime options (v6.x)

[ evp_sect ]# Set to "yes" to enter FIPS mode if supportedfips_mode = yes

13

Validating you have the right version

14

Existing code may no Longer run

Certificates – only use FIPs algorithms

15

Certificate Generation

OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyouthttpd.key.pem -out httpd.crt.pem -days XXX

16

Try it out on Bluemix

cf set-envFIPS_MODE true

TM

17

18

Copyrights and Trademarks

© IBM Corporation 2016. All Rights Reserved

IBM, the IBM logo, ibm.com are trademarks or registered

trademarks of International Business Machines Corp.,

registered in many jurisdictions worldwide. Other product and

service names might be trademarks of IBM or other companies.

A current list of IBM trademarks is available on the Web at

“Copyright and trademark information” at

www.ibm.com/legal/copytrade.shtml

Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally

related to or endorsed by the official Joyent Node.js open source or

commercial project.

Java, JavaScript and all Java-based trademarks and logos are trademarks or

registered trademarks of Oracle and/or its affiliates.