a294 fips support in node
TRANSCRIPT
© 2016 IBM Corporation 2
About Michael Dawson
Senior Software Developer @ IBMIBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
[email protected]: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282
© 2016 IBM Corporation 3
Agenda
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example
© 2016 IBM Corporation 5
Node.js – Quick Intro
• JavaScript != Java
• Node.js = Server-side JavaScript
• Event-oriented
• Non-blocking
• Asynchronous
• Uses OpenSSL as cryptographic library
http://www.modulecounts.com/
© 2016 IBM Corporation
• There is a module for that• 300K modules
• #1 on module counts
• #1 on Github (#projects)
• #1 on StackOverflow(2015)
Node.js – Quick Intro
6
© 2016 IBM Corporation
V8 – JavascriptEngine
V8 JavaScript Engine Libuv
Other DependenciesICUCaresZlibhttp_parser
…
Node Binding Layer
Operating System
Node Libraries
Modules (npm or local) + Application
Op
en
SS
L
Node.js – Quick Intro
8
© 2016 IBM Corporation
9
Node.js – crypto APIs
https://nodejs.org/api/crypto.html
• Certificate
• Cipher
• Decipher
• DiffieHellman
• ECDH
• Hash
• HMAC
• Sign
• Verify
© 2016 IBM Corporation 13
FIPS Intro –Why
• Cryptography is an important Tool
• Provides a way to evaluate modules
• May be contract requirements !
© 2016 IBM Corporation 14
• Federal Information Processing Standard (FIPS) –
Publication 140-2
Security Requirements for Cryptographic Modules
• US government security standard
• Co-developed with Canadian Communications
Security Establishment (CSE)
• Independent labs do evaluation
http://csrc.nist.gov/groups/STM/cmvp/standards.html
FIPS Intro
© 2016 IBM Corporation 15
1. Cryptographic Module Specification2. Cryptographic Module Ports and Interfaces3. Roles, Services, and Authentication4. Finite State Model 5. Physical Security6. Operational Environment7. Cryptographic Key Management8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)9. Self Tests10.Design Assurance11.Mitigation of Other Attack
FIPS Intro – Evaluation Areas
© 2016 IBM Corporation 16
FIPS Intro - Levels
• 4 Levels
• Level 1
• 1+ approved algorithms
• Level 2
• Tamper evidence
• Level 3
• Zeroization
• Level 4
• Response to all tamper attempts
Software Generally limitedTo Level 1 !
© 2016 IBM Corporation 17
FIPS Intro
• Approved Security Functions
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
• AES, Triple-DES
• DSS, DSA, RSA and ECDSA
• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,
SHAKE256
No MD5 !
© 2016 IBM Corporation
18
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS
• Additional constraints
may apply – ex:
• https://wiki.openssl.
org/index.php/FIPS_
mode_and_TLS
• --tls-cipher-list
© 2016 IBM Corporation 19
FIPS Intro – Europe ?
• Common Criteria
• EAL 1 through 7
• Different profiles
• FIPS still used/potentially accepted
• Higher availability
• Recommendations for TSPs -https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm-
oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2F
tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o-
T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja
OpenSSL Integration
© 2016 IBM Corporation
• Node.js Leverages OpenSSL certifications
• FIPs on for Linux so far• https://www.openssl.org/
21
© 2016 IBM Corporation 22
OpenSSL Integration - Certifcation
• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747
© 2016 IBM Corporation 23
OpenSSL Integration – Security Guide
• Security Policy (36 pages)• https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
• User Guide (221 pages)• https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
• Trusted Path Requirement
• User Affirmation
© 2016 IBM Corporation 24
OpenSSL Integration
fipscanister.o
OpenSSL/libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {…
} else {// indicate error
}
© 2016 IBM Corporation 25
Building
• https://github.com/n
odejs/node/blob/ma
ster/BUILDING.md
• Must follow to the
letter
© 2016 IBM Corporation 26
OpenSSL Integration – Application
• Just using FIPS capable Node.js is not enough
• You have to use correctly (ex TLS example)
• Demonstrate to ‘customer’ you did the right thing
• It is, however, an enabler
© 2016 IBM Corporation 28
Community History
• May 2015 – discussion starts• https://github.com/nodejs/node-v0.x-archive/issues/25463
• Jun 2015 – PR 1890
© 2016 IBM Corporation 29
Community History
• Nov 2015 – Issue 3760
• PRs 3752, 3753, 3754,
3755, 3756, 3757, 3758,3759
• Added to community CI
© 2016 IBM Corporation 30
Community History
• Dec 2015 – NPM cleanup
• Feb 2016 – Command Line Improvement
© 2016 IBM Corporation 32
API and runtime options (v6.x)
• Command Line:
• --enable-fips
• --force-fips
• API
• -crypto.fips
• OpenSSL Config file
[ evp_sect ]# Set to "yes" to enter FIPS mode if supportedfips_mode = yes
© 2016 IBM Corporation 34
API and runtime options (v6.x)
• You need to be
state aware
• Error if already
enabled
OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem -
out httpd.crt.pem -days XXX
• Certificates and keys
• Generation
• Only use FIPs algorithms
• Generate with FIPs module
© 2016 IBM Corporation38
Gotchas
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};
© 2016 IBM Corporation 47
Summary
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example
Michael Dawson
Thank you very much.
IBMRuntime Technologies
© 2016 IBM Corporation 48
© 2016 IBM Corporation 49
Your feedback is valuable
Please complete your session or lab evaluation!
Session number [A294]
Provide your evaluations by:
Evaluation forms:
Fill out a form at the end of each session
Paper forms are located in each of the session or lab rooms
Complete the session survey on Event Connect Portal: https://portal.ibmeventconnect.com/madrid2016
Select Sessions, then Session Finder, and complete the survey
- Or -
IBMTA16
Twitter@IBMCloud | @IBMWebSphere
LinkedInIBM Cloud
YouTubeIBM Cloud | IBM WebSphere
FacebookIBM Cloud
ibmcloud
Facebook Event PageIBM Techical Academy 2016
websphere
Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED
"AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS
INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and
services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in
which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™,
FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International
Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
• Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
• Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
• npm is a trademark of npm, Inc.