FIPS Compliance

DISCLAIMER

The links and recommendations in this document are from teams that have already coded their application to be FIPS compliant and researched resources on the internet. The Mission App DevOps team do not support making applications FIPS compliant nor do we recommend any specific vendor. We only validate apps are compliant during the pipeline automation process per direction from the Platform One Cyber Team.

Overview

The Federal Information Processing Standards (FIPS) 140-2 standard is a National Institute of Standards and Technology (NIST) information technology security approval program that enforces the use of cryptographic algorithms (e.g. ciphers and functions).

Summary

Platform One Party Bus is a government managed cloud infrastructure and must adhere to the FIPS 140-2 requirement. Therefore, any team that would like to host their application on Party Bus must adhere to the FIPS 140-2 standard. Party Bus verifies an application is using secure FIPS 140-2 approved algorithms in the Fortify stage of the pipeline and will not allow deployment to the Staging or Production environments until the application is compliant.

Additionally, the latest UBI9 images from Ironbank latently enforce FIPS and if any unapproved hashes/algorithms are used within libraries of any stages of the pipelines, the pipelines will fail programatically. This is not a hardline enforcement, but there is no workaround strategy for most FIPS-related failures due to the new UBI9 updates.

What Does this Mean?

1. Every cryptographic operation is using an approved FIPS compliant algorithm.

2. Use of MD5 and SHA1 are prohibited.

3. Is your backend application in FIPS approved only mode?

4. Ensure all APIs are FIPS compliant.

5. Ensure that any libraries being used, whether firsthand within your package files or transitively by other libraries, do not use MD5, SHA1, or other unapproved algorithms

6. Scan the application and verify that it's FIPS compliant (i.e., there are available services for some languages).

Common Issues

1. Ensure that only FIPS validated cryptographic algorithms are used. FIPS mode is enforced at the level of the application or service. It is not generally enforced in the operating system or container. However if running a container on a kubernetes host with FIPS enforced, the container will inherit its FIPS flags, which will trigger certain libraries to enforce FIPS. In the case that you are choosing to enforce FIPS or the the inhertited FIPS settings apply to you, then you must not use a cryptographic algorithm that isn't FIPS-compliant. In short, an application or service is running in FIPS mode if it:

   a. Checks for the policy flag.

   b. Enforces security policies of validated modules.

2. If a reference to any non-FIPS compliant algorithm is in the code, even if not used, FIPS compliance will trigger an error.

3. MD5 is deprecated. FIPS compliance requires SHA256 or newer provider. Any reference to MD5 will have to be removed and all keys regenerated with SHA256 and up.

Troubleshooting

If you are seeing errors that look like the following:

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:69:19)
    at Object.createHash (node:crypto:136:10)

Or anything that mentions the words crypto, hash or algorithm, you are most likely running into a FIPS issue.

1. The first step is to run a stack trace to figure out where the error is coming from
2. In this example:

Error: error:0308010C:digital envelope routines::unsupported
     at new Hash (node:internal/crypto/hash:69:19)
     at Object.createHash (node:crypto:133:10)
     at module.exports (node_modules/webpack/lib/util/createHash.js:135:53)

you would find the file webpack/lib/util/createHash.js and the line number listed

3. Alternatively you would find the repo for the offending library and the file within. For the library in the example above https://github.com/webpack/webpack/blob/main/lib/util/createHash.js is the file in question. Also ensure that you are using the tag that correlates with the version in your package manager

4. Confirm the offending hash is present. It will be something like md5 or SHA1

5. Navigate to the repo for the public library if you didn't already in step 3. Bring up the branch for the latest version. Confirm that the bad hash is no longer being used

6. Update your library to the latest version.

7. If the issue still exists, please open a ticket with the MDO team

References

• Bouncy Castle FIPS 140-2 Cryptographic Module Security Policy

• CryptoSense Application Tracer
• NIST FIPS 140-2 Requirements
• NIST Compliance FAQs