A294 fips support in node

A294
Node.js – FIPS 140-2 support in
Node.js
Michael Dawson, IBM Runtime Technologies

© 2016 IBM Corporation 2
About Michael Dawson
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282

Agenda
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example

Node.js – Quick Intro

• JavaScript != Java
• Node.js = Server-side JavaScript
• Event-oriented
• Non-blocking
• Asynchronous
• Uses OpenSSL as cryptographic library

http://www.modulecounts.com/
© 2016 IBM Corporation
• There is a module for that
• 300K modules
• #1 on module counts
• #1 on Github (#projects)
• #1 on StackOverflow(2015)
6

• Most used runtime in
Bluemix
TM
7

V8 – Javascript
Engine
V8
JavaScript Engine Libuv
Other
Dependencies
ICU
Cares
Zlib
http_parser
…
Node Binding Layer
Operating System
Node Libraries
Modules (npm or local) + Application
OpenSSL
8

9
Node.js – crypto APIs
https://nodejs.org/api/crypto.html
• Certificate
• Cipher
• Decipher
• DiffieHellman
• ECDH
• Hash
• HMAC
• Sign
• Verify

10
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS

Node.js – HTTPS Example

FIPS Intro

FIPS Intro – Why
• Cryptography is an important Tool
• Provides a way to evaluate modules
• May be contract requirements !

• Federal Information Processing Standard (FIPS) –
Publication 140-2
Security Requirements for Cryptographic Modules
• US government security standard
• Co-developed with Canadian Communications
Security Establishment (CSE)
• Independent labs do evaluation
http://csrc.nist.gov/groups/STM/cmvp/standards.html
FIPS Intro

1. Cryptographic Module Specification
2. Cryptographic Module Ports and Interfaces
3. Roles, Services, and Authentication
4. Finite State Model
5. Physical Security
6. Operational Environment
7. Cryptographic Key Management
8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
9. Self Tests
10.Design Assurance
11.Mitigation of Other Attack
FIPS Intro – Evaluation Areas

FIPS Intro - Levels
• 4 Levels
• Level 1
• 1+ approved algorithms
• Level 2
• Tamper evidence
• Level 3
• Zeroization
• Level 4
• Response to all tamper attempts
Software Generally limited
To Level 1 !

FIPS Intro
• Approved Security Functions
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
• AES, Triple-DES
• DSS, DSA, RSA and ECDSA
• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,
SHAKE256
No MD5 !

18
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS
• Additional constraints
may apply – ex:
• https://wiki.openssl.
org/index.php/FIPS_
mode_and_TLS
• --tls-cipher-list

FIPS Intro – Europe ?
• Common Criteria
• EAL 1 through 7
• Different profiles
• FIPS still used/potentially accepted
• Higher availability
• Recommendations for TSPs -
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm-
oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fblue-sea-697d.quartiers047.workers.dev%3A443%2Fhttps%2Fwww.enisa.europa.eu%2Fpublications%2F
tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o-
T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja

OpenSSL Integration

OpenSSL Integration
• Node.js Leverages
OpenSSL certifications
• FIPs on for Linux so far
• https://www.openssl.org/
21

OpenSSL Integration - Certifcation
• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747

OpenSSL Integration – Security Guide
• Security Policy (36 pages)
• https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
• User Guide (221 pages)
• https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
• Trusted Path Requirement
• User Affirmation

OpenSSL Integration
fipscanister.o
OpenSSL/
libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {
…
} else {
// indicate error
}

Building
• https://github.com/n
odejs/node/blob/ma
ster/BUILDING.md
• Must follow to the
letter

OpenSSL Integration – Application
• Just using FIPS capable Node.js is not enough
• You have to use correctly (ex TLS example)
• Demonstrate to ‘customer’ you did the right thing
• It is, however, an enabler

Community History

Community History
• May 2015 – discussion starts
• https://github.com/nodejs/node-v0.x-archive/issues/25463
• Jun 2015 – PR 1890

Community History
• Nov 2015 – Issue 3760
• PRs 3752, 3753, 3754,
3755, 3756, 3757, 3758,3759
• Added to community CI

Community History
• Dec 2015 – NPM cleanup
• Feb 2016 – Command Line Improvement

API and runtime options (v6.x)

• Command Line:
• --enable-fips
• --force-fips
• API
• -crypto.fips
• OpenSSL Config file
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes

• Force prevents
change

• You need to be
state aware
• Error if already
enabled

Validating you have right version

36
Gotchas

37
Gotchas
• Existing code may no longer run

OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem -
out httpd.crt.pem -days XXX
• Certificates and keys
• Generation
• Only use FIPs algorithms
• Generate with FIPs module
38
Gotchas
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};

Bluemix Example
39

cf set-env
FIPS_MODE true
Try it on
out on
Bluemix

Express Example
44

Express Example
45

Express Example
46

Summary
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example

Michael Dawson
Thank you very much.
IBM
Runtime Technologies
michael_dawson@ca.ibm.com

Your feedback is valuable
Please complete your session or lab evaluation!
Session number [A294]
Provide your evaluations by:
Evaluation forms:
Fill out a form at the end of each session
Paper forms are located in each of the
session or lab rooms
Complete the session survey on Event
Connect Portal:
https://portal.ibmeventconnect.com/ma
drid2016
Select Sessions, then Session Finder, and
complete the survey
- Or -

IBMTA16
Twitter
@IBMCloud | @IBMWebSphere
LinkedIn
IBM Cloud
YouTube
IBM Cloud | IBM WebSphere
Facebook
IBM Cloud
ibmcloud
Facebook Event Page
IBM Techical Academy 2016
websphere

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED
"AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS
INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and
services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in
which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™,
FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International
Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
• Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
• Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
• npm is a trademark of npm, Inc.

A294 fips support in node

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to A294 fips support in node (20)

More from Michael Dawson (15)

Recently uploaded (20)

A294 fips support in node