[jira] [Created] (HDDS-10236) Cryptography compliance with FIPS (US regulations)

Mon, 29 Jan 2024 10:19:03 -0800 

István Fajth created HDDS-10236:
-----------------------------------

             Summary: Cryptography compliance with FIPS (US regulations)
                 Key: HDDS-10236
                 URL: https://issues.apache.org/jira/browse/HDDS-10236
             Project: Apache Ozone
          Issue Type: Improvement
            Reporter: István Fajth


FIPS stands for Federal Information Processing Standards, defined by the 
National Institute of Standards and Technology (NIST).
The current version is [FIPS 140 - 
3|https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf], which is based 
on the ISO/IEC 19790, and it overwrites some points of the ISO standard.

There is a series of modifications under NIST SP 800-140 from A to F as follows:
A: documentation requirements
B: security policy requirements
C: approved security functions
D: approved sensitive security parameter generation and establishment methods
E: approved authentication mechanisms
F: approved non-invasive attack mitigation test metrics

Unfortunately the ISO/IEC 19970 is behind a paywall, but based on FIPS 140-3's 
description it is highly influenced by FIPS 140-2, so the approach we can 
easily take for the first steps is to have the first set of requirements based 
on FIPS 140-2 and understand the differences of 140-3 based on the NIST 
overrides and the standard itself.

The main area of focus as a starting point is to work on the security functions 
and parameter generation related questions, then security policy authentication 
and documentation related questions, note that not all of these areas are 
applicable to software and some are needed for certification purposes, those 
will be skipped for now.

It is not part of the scope to actually bring Apache Ozone through the FIPS 
certification process at the moment.
It is not a goal to make Ozone FIPS compliant by default, the aim is to enable 
it to be compliant with the FIPS regulations, either via plugging in things 
that are not compliant and with that enable to plug-in the compliant version 
also, or make it available to easily rule out the usage of non-compliant things 
via configuration, without changing the default behaviour.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to