FIPS 140-2 mode dependencies
Read about the dependencies on software and hardware that exist if you want to run libica versions in the range 3.0 - 4.0 in FIPS 140-2 mode.
In a certain environment, the libica library is certified according to the FIPS 140-2 standard (see NIST Computer Security Resource Center).
The NIST defines so called Federal Information Processing Standards (FIPS). One of their publications, the FIPS 140-2 Security Requirements For Cryptographic Modules defines a standard for cryptography-based security systems (crypto modules) used by US Federal organizations to protect sensitive data. FIPS 140-2 certifications are done under the Cryptographic Module Validation Program (CMVP).
The FIPS 140-2 standard specifies four levels of security. Each level corresponds to a set of requirements wherein a higher level is a strict superset of the lower levels. Software cryptographic modules can maximally reach a level 1 certification. In order to make the libica FIPS 140-2 level 1 conformant, the library has been extended by the following features:
- When running in FIPS mode, only NIST approved crypto algorithms can be used and various self-tests are conducted. Approved crypto algorithms are listed in Annex A: Approved Security Functions for FIPS PUB 140-2. However, it is possible to disable this feature at compile time. Non-approved algorithms (like for example, DES and PRNG) are disabled when running in FIPS mode.
- Various self-tests required by FIPS 140-2 are implemented. If a self-test fails, libica enters an error state (FIPS error state) and does not perform any cryptographic operations. In this case, an error message is written to the syslog.
- The DRBG error state was changed to trigger the FIPS error state. In this case an error message is written to the syslog.
- New interfaces were added to enable the consuming application to trigger the self-tests on demand and to query the status (see FIPS mode functions). The status indicates, which self-tests were passed or failed and whether libica is running in FIPS mode.
For detailed information about the FIPS 140-2 standard, see FIPS PUB 140-2.
Dependencies on Open Source software (OpenSSL)
At startup, the library reads the kernel FIPS flag from the proc filesystem (see Enabling the Linux kernel for FIPS mode). If the flag is found to be 1, then the libica deterministic random bit generator (DRBG) must be used for random number generation, because the libica PRNG is disabled with FIPS built.
Dependencies on hardware
The pseudo random number generator (PRNG) provided by libica is disabled with FIPS mode. So only the DRBG can be used for the generation of random data. However, the DRBG needs at least MSA 2 to work. This means that FIPS mode cannot be used if no MSA 2 (introduced with z10™) or higher is available.