a294 fips support in node

A294

Node.js – FIPS 140-2 support in

Node.js

Michael Dawson, IBM Runtime Technologies

© 2016 IBM Corporation 2

About Michael Dawson

Senior Software Developer @ IBMIBM Runtime Technologies Node.js Technical Lead

Node.js collaborator and CTC member

Active in LTS, build, benchmarking , api

and post-mortem working groups

Contact me:

[email protected]: @mhdawson1

https://www.linkedin.com/in/michael-dawson-6051282

https://twitter.com/mhdawson1


Agenda

• Node.js quick intro

• FIPS 140-2 intro

• OpenSSL integration

• Community History

• Command Line Options

• Gotchas – What to look out for

• Bluemix Example

• Express Example


Node.js – Quick Intro



• JavaScript != Java

• Node.js = Server-side JavaScript

• Event-oriented

• Non-blocking

• Asynchronous

• Uses OpenSSL as cryptographic library

http://www.modulecounts.com/

© 2016 IBM Corporation

• There is a module for that• 300K modules

• #1 on module counts

• #1 on Github (#projects)

• #1 on StackOverflow(2015)


6


• Most used runtime in

Bluemix

TM


7


V8 – JavascriptEngine

V8 JavaScript Engine Libuv

Other DependenciesICUCaresZlibhttp_parser

…

Node Binding Layer

Operating System

Node Libraries

Modules (npm or local) + Application

Op

en

SS

L


8


9

Node.js – crypto APIs

https://nodejs.org/api/crypto.html

• Certificate

• Cipher

• Decipher

• DiffieHellman

• ECDH

• Hash

• HMAC

• Sign

• Verify


10

Node.js – HTTPS

https://nodejs.org/api/https.html

• HTTPS


Node.js – HTTPS Example


FIPS Intro


FIPS Intro –Why

• Cryptography is an important Tool

• Provides a way to evaluate modules

• May be contract requirements !


• Federal Information Processing Standard (FIPS) –

Publication 140-2

Security Requirements for Cryptographic Modules

• US government security standard

• Co-developed with Canadian Communications

Security Establishment (CSE)

• Independent labs do evaluation

http://csrc.nist.gov/groups/STM/cmvp/standards.html

FIPS Intro


1. Cryptographic Module Specification2. Cryptographic Module Ports and Interfaces3. Roles, Services, and Authentication4. Finite State Model 5. Physical Security6. Operational Environment7. Cryptographic Key Management8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)9. Self Tests10.Design Assurance11.Mitigation of Other Attack

FIPS Intro – Evaluation Areas


FIPS Intro - Levels

• 4 Levels

• Level 1

• 1+ approved algorithms

• Level 2

• Tamper evidence

• Level 3

• Zeroization

• Level 4

• Response to all tamper attempts

Software Generally limitedTo Level 1 !


FIPS Intro

• Approved Security Functions

http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf

• AES, Triple-DES

• DSS, DSA, RSA and ECDSA

• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-

512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,

SHAKE256

No MD5 !


18

Node.js – HTTPS

https://nodejs.org/api/https.html

• HTTPS

• Additional constraints

may apply – ex:

• https://wiki.openssl.

org/index.php/FIPS_

mode_and_TLS

• --tls-cipher-list

https://wiki.openssl.org/index.php/FIPS_mode_and_TLS


FIPS Intro – Europe ?

• Common Criteria

• EAL 1 through 7

• Different profiles

• FIPS still used/potentially accepted

• Higher availability

• Recommendations for TSPs -https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm-

oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2F

tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o-

T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja

OpenSSL Integration


OpenSSL Integration


• Node.js Leverages OpenSSL certifications

• FIPs on for Linux so far• https://www.openssl.org/

21

https://www.openssl.org/


OpenSSL Integration - Certifcation

• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747


OpenSSL Integration – Security Guide

• Security Policy (36 pages)• https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf

• User Guide (221 pages)• https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

• Trusted Path Requirement

• User Affirmation

https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf

https://www.openssl.org/docs/fips/UserGuide-2.0.pdf


OpenSSL Integration

fipscanister.o

OpenSSL/libcrypto.a

$(OPENSSLDIR)/fips/fipsld –o ….

If (FIPS_mode_set(1)) {…

} else {// indicate error

}


Building

• https://github.com/n

odejs/node/blob/ma

ster/BUILDING.md

• Must follow to the

letter

https://github.com/nodejs/node/blob/master/BUILDING.md


OpenSSL Integration – Application

• Just using FIPS capable Node.js is not enough

• You have to use correctly (ex TLS example)

• Demonstrate to ‘customer’ you did the right thing

• It is, however, an enabler


Community History


Community History

• May 2015 – discussion starts• https://github.com/nodejs/node-v0.x-archive/issues/25463

• Jun 2015 – PR 1890

https://github.com/nodejs/node-v0.x-archive/issues/25463


Community History

• Nov 2015 – Issue 3760

• PRs 3752, 3753, 3754,

3755, 3756, 3757, 3758,3759

• Added to community CI


Community History

• Dec 2015 – NPM cleanup

• Feb 2016 – Command Line Improvement


API and runtime options (v6.x)



• Command Line:

• --enable-fips

• --force-fips

• API

• -crypto.fips

• OpenSSL Config file

[ evp_sect ]# Set to "yes" to enter FIPS mode if supportedfips_mode = yes



• Force prevents

change



• You need to be

state aware

• Error if already

enabled


Validating you have right version


37

Gotchas

• Existing code may no longer run


OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem -

out httpd.crt.pem -days XXX

• Certificates and keys

• Generation

• Only use FIPs algorithms

• Generate with FIPs module


Gotchas

const options = {

key: fs.readFileSync('key.pem'),

cert: fs.readFileSync('cert.pem')

};

Bluemix Example


cf set-envFIPS_MODE true

Try it on

out on

Bluemix

Express Example



Summary

• Node.js quick intro

• FIPS 140-2 intro

• OpenSSL integration

• Community History

• Command Line Options

• Gotchas – What to look out for

• Bluemix Example

• Express Example

Michael Dawson

Thank you very much.

IBMRuntime Technologies

[email protected]



Your feedback is valuable

Please complete your session or lab evaluation!

Session number [A294]

Provide your evaluations by:

Evaluation forms:

Fill out a form at the end of each session

Paper forms are located in each of the session or lab rooms

Complete the session survey on Event Connect Portal: https://portal.ibmeventconnect.com/madrid2016

Select Sessions, then Session Finder, and complete the survey

- Or -

https://portal.ibmeventconnect.com/madrid2016

IBMTA16

Twitter@IBMCloud | @IBMWebSphere

LinkedInIBM Cloud

YouTubeIBM Cloud | IBM WebSphere

FacebookIBM Cloud

ibmcloud

Facebook Event PageIBM Techical Academy 2016

websphere

https://twitter.com/IBMcloud

https://twitter.com/IBMWebSphere

https://www.linkedin.com/company/ibm-cloud

https://www.youtube.com/user/IBMCloud

https://www.youtube.com/channel/UCgmYzeyubZhiRvnmXwE-Gfw

https://www.facebook.com/IBMCloud/?fref=ts

https://www.facebook.com/events/1028775747192463/

Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission

from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial

publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED

"AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS

INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and

services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.

Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers

have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in

which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and

discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their

specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and

interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such

laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not

tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.

Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the

ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual

property right.

• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™,

FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand,

ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,

PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,

StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International

Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current

list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

• Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

• Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

• npm is a trademark of npm, Inc.

http://www.ibm.com/legal/copytrade.shtml