Appears AWS is phasing out 3DES, pointing back to NIST 800-131A that
reminds us 3DES moves to "disallowed after 2015."
Seems appropriate that we update our XCCDF and OVAL content to phase out
3DES. We'd be slightly ahead of the end of year, but any objections to
writing a patch to phase out 3DES from approved algorithms now?
-------- Forwarded Message --------
Subject: AWS GovCloud (US) Updates for FIPS 140-2 Compliance
Date: Fri, 4 Dec 2015 21:55:45 +0000
From: Amazon Web Services, Inc. <[email protected]>
To: Shawn Wells <shawn@.....>
Dear AWS Customer,
We are contacting you to explain some configuration changes to enhance FIPS
140-2 security and system performance for the AWS GovCloud (US) region. Please
review this information carefully to determine whether your use of services
will be affected, and if so what you need to do.
3DES Deprecation
-----------------------
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are cryptographic
protocols that used to encrypt data sent over untrusted networks such as the
Internet. The TLS protocol is a newer version of the SSL protocol. In this
documentation, we refer to both SSL and TLS protocols as the SSL protocol.
In support of our customer’s requirements, AWS GovCloud (US) provides FIPS 140-2 compliant SSL
endpoints. NIST Special Publication sp800-131A specifies the approval status of the 3DES block
cipher algorithm as "Restricted through 2015" and "Disallowed after 2015" for
FIPS 140-2 encryption. AWS GovCloud (US) currently supports AES-128 and AES-256 algorithms
compliant with FIPS 140-2, and will be deprecating support for the 3DES algorithm on March 31,
2016. As an intermediate step, AWS GovCloud (US) has deprioritized the 3DES algorithm to the least
preferred position in the available cipher options proffered by SSL endpoints.
For most customers there is no action required as a result of this change.
However, customers that have either configured their clients specifically to
use only 3DES, or which have clients that don’t support AES, will need to
update their systems to avoid impact prior to the 3DES deprecation date.
If your client is configured to prefer 3DES, but supports AES, it will continue
to work with no interruption in service after the deprecation date. The
administrators of your system or Information System Security Officer may know
if you have specified 3DES as the only acceptable cipher suite. In that case,
you’ll need to make a configuration change to accept AES if your system
requires or desires compliance with FIPS 140-2 standards.
Software Load Balancers
-------------------------------
AWS is transitioning the FIPS endpoint systems used for AWS GovCloud (US) from
hardware load balancers to software load balancers for SSL/TLS offloading. We
have measured at least a 4X improvement in performance for data downloads using
FIPS approved software load balancers over the current hardware implementation.
The new software load balancer is implemented using industry leading TLS 1.2
with AES cipher suites, which represents an improvement in the security of
connections to GovCloud while adhering to current compliance requirements.
This transition changes the AWS GovCloud FIPS 140-2 implementation from Level 2
(hardware required) to Level 1. Note that FIPS 140-2 Level 1 implements the
same level of security in the encryption as Level 2 and does not impact the AWS
GovCloud (US) FedRAMP authorization, as FedRAMP does not specify a required
FIPS 140-2 Level. We recommend however, that customers review and update their
System Security Plans or other documentation that may refer to AWS GovCloud
(US) utilizing Level 2.
For more information, see the list of frequently asked questions (FAQs) below.
Of course, AWS Support is always available to assist and can be contacted at
https://console.aws.amazon.com/support/. Remember to use the credentials for
the standard AWS account that you used to sign up for AWS GovCloud (US) to
authenticate to the AWS Support Center.
Thank you for being an AWS customer!
Sincerely,
The AWS GovCloud (US) Team
-----------------------------------------------
Frequently Asked Questions: AWS GovCloud (US) Updates for FIPS 140-2 Compliance
Q. What is FIPS 140-2?
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US
government security standard that specifies security requirements for
cryptographic modules protecting sensitive information. To support customers
with FIPS 140-2 requirements, the AWS GovCloud (US) region provides SSL
terminations (a.k.a. service endpoints) that operate using load balancers with
FIPS 140-2 certified modules.
Q. Why is AWS deprecating support for the 3DES algorithm?
The 3DES algorithm (a.k.a. Triple DES, TDEA, and Triple Data Encryption
Algorithm) is an older data encryption standard that will no longer be
recognized as a FIPs 140-2 approved cipher after December 31, 2015. After this
date, customers with FIPS 140-2 requirements will not be compliant if they bind
to the 3DES cipher. The 3DES algorithm was designed for legacy generation
hardware implementations and may be vulnerable to brute force attack with
increasingly powerful computing technology. AWS is therefore deprecating
support for the 3DES cipher in the AWS GovCloud (US) region. To support
customers that don’t have FIPS requirements, the region will continue to
support the 3DES cipher until at least March 31, 2016. We recommend that
customers review their applications to ensure appropriate use of the latest
ciphers.
Q. How do I determine if I’m using the 3DES cipher?
The algorithm used to encrypt data for transport is determined by your
application and the supported client configurations for your application. Your
application may be supported by legacy software components that do not support
AES cipher suites (although this is not common as AES has been a Federal
Government standard since 2002). There are no customer settings to configure
for choosing your preferred cipher in AWS GovCloud (US). The FIPS 140-2
compliant load balancers are able to detect which suite is cipher is used.
Q. How do I migrate off of the 3DES cipher?
Customers with FIPS 140-2 requirements should review their applications and
supported clients to ensure appropriate support for the latest approved
encryption ciphers. Customers without FIPS 140-2 requirements can continue to
use AWS GovCloud (US) by utilizing the available non-FIPS SSL endpoints.
Q. Could anything break when I change from the 3DES cipher?
Customers will need to evaluate the impact of any changes to their application.
For example, their users may need to upgrade their web browser or other
software dependencies to ensure uninterrupted application availability.
Q. Why is AWS changing from FIPS Level 2 to FIPS Level 1? Is this a lower level
of protection?
FIPS 140-2 Level 1 implements the same level of security in the encryption as
Level 2. This change does not impact the AWS GovCloud (US) FedRAMP
authorization, as FedRAMP does not specify a required FIPS 140-2 Level. The
updated software load balancers now operate independent of any specific
hardware device, which provides improved system performance, easier upgrades,
and more flexible scaling to meet the needs of AWS GovCloud (US) customers.
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a
registered trademark of Amazon.com, Inc. This message was produced and
distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA
98109-5210
--
SCAP Security Guide mailing list
[email protected]
https://lists.fedorahosted.org/admin/lists/[email protected]
https://github.com/OpenSCAP/scap-security-guide/
