The document provides an overview of Node.js and its integration with FIPS 140-2, a U.S. government standard for cryptographic modules. It covers the importance of cryptography, OpenSSL integration, community developments, command line options, and practical examples. Michael Dawson from IBM outlines how to utilize Node.js in FIPS mode and highlights potential challenges developers may face.

1. A294
Node.js – FIPS 140-2 support in
Node.js
Michael Dawson, IBM Runtime Technologies

2. © 2016 IBM Corporation 2
About Michael Dawson
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282

3. © 2016 IBM Corporation 3
Agenda
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example

4. © 2016 IBM Corporation 4
Node.js – Quick Intro

5. © 2016 IBM Corporation 5
Node.js – Quick Intro
• JavaScript != Java
• Node.js = Server-side JavaScript
• Event-oriented
• Non-blocking
• Asynchronous
• Uses OpenSSL as cryptographic library

6. http://www.modulecounts.com/
© 2016 IBM Corporation
• There is a module for that
• 300K modules
• #1 on module counts
• #1 on Github (#projects)
• #1 on StackOverflow(2015)
Node.js – Quick Intro
6

7. © 2016 IBM Corporation
• Most used runtime in
Bluemix
TM
Node.js – Quick Intro
7

8. © 2016 IBM Corporation
V8 – Javascript
Engine
V8
JavaScript Engine Libuv
Other
Dependencies
ICU
Cares
Zlib
http_parser
…
Node Binding Layer
Operating System
Node Libraries
Modules (npm or local) + Application
OpenSSL
Node.js – Quick Intro
8

9. © 2016 IBM Corporation
9
Node.js – crypto APIs
https://nodejs.org/api/crypto.html
• Certificate
• Cipher
• Decipher
• DiffieHellman
• ECDH
• Hash
• HMAC
• Sign
• Verify

10. © 2016 IBM Corporation
10
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS

11. © 2016 IBM Corporation 11
Node.js – HTTPS Example

12. © 2016 IBM Corporation 12
FIPS Intro

13. © 2016 IBM Corporation 13
FIPS Intro – Why
• Cryptography is an important Tool
• Provides a way to evaluate modules
• May be contract requirements !

14. © 2016 IBM Corporation 14
• Federal Information Processing Standard (FIPS) –
Publication 140-2
Security Requirements for Cryptographic Modules
• US government security standard
• Co-developed with Canadian Communications
Security Establishment (CSE)
• Independent labs do evaluation
http://csrc.nist.gov/groups/STM/cmvp/standards.html
FIPS Intro

15. © 2016 IBM Corporation 15
1. Cryptographic Module Specification
2. Cryptographic Module Ports and Interfaces
3. Roles, Services, and Authentication
4. Finite State Model
5. Physical Security
6. Operational Environment
7. Cryptographic Key Management
8. Electromagnetic Interference/Electromagnetic Compatibility (EMI/EMC)
9. Self Tests
10.Design Assurance
11.Mitigation of Other Attack
FIPS Intro – Evaluation Areas

16. © 2016 IBM Corporation 16
FIPS Intro - Levels
• 4 Levels
• Level 1
• 1+ approved algorithms
• Level 2
• Tamper evidence
• Level 3
• Zeroization
• Level 4
• Response to all tamper attempts
Software Generally limited
To Level 1 !

17. © 2016 IBM Corporation 17
FIPS Intro
• Approved Security Functions
http://csrc.nist.gov/publications/fips/fips140-2/fips1402annexa.pdf
• AES, Triple-DES
• DSS, DSA, RSA and ECDSA
• SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-
512/256, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128,
SHAKE256
No MD5 !

18. © 2016 IBM Corporation
18
Node.js – HTTPS
https://nodejs.org/api/https.html
• HTTPS
• Additional constraints
may apply – ex:
• https://wiki.openssl.
org/index.php/FIPS_
mode_and_TLS
• --tls-cipher-list

19. © 2016 IBM Corporation 19
FIPS Intro – Europe ?
• Common Criteria
• EAL 1 through 7
• Different profiles
• FIPS still used/potentially accepted
• Higher availability
• Recommendations for TSPs -
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=7&ved=0ahUKEwjm-
oqC0bXPAhUJ4SYKHf3wDV4QFghGMAY&url=https%3A%2F%2Fwww.enisa.europa.eu%2Fpublications%2F
tsp1-framework%2Fat_download%2FfullReport&usg=AFQjCNGe0RewmuzZL4AWyDmy00o-
T0TLfA&sig2=EPdoyDyU6rA93SIBuuDEmw&cad=rja

20. OpenSSL Integration
© 2016 IBM Corporation 20

21. OpenSSL Integration
© 2016 IBM Corporation
• Node.js Leverages
OpenSSL certifications
• FIPs on for Linux so far
• https://www.openssl.org/
21

22. © 2016 IBM Corporation 22
OpenSSL Integration - Certifcation
• http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747

23. © 2016 IBM Corporation 23
OpenSSL Integration – Security Guide
• Security Policy (36 pages)
• https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
• User Guide (221 pages)
• https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
• Trusted Path Requirement
• User Affirmation

24. © 2016 IBM Corporation 24
OpenSSL Integration
fipscanister.o
OpenSSL/
libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {
…
} else {
// indicate error
}

25. © 2016 IBM Corporation 25
Building
• https://github.com/n
odejs/node/blob/ma
ster/BUILDING.md
• Must follow to the
letter

26. © 2016 IBM Corporation 26
OpenSSL Integration – Application
• Just using FIPS capable Node.js is not enough
• You have to use correctly (ex TLS example)
• Demonstrate to ‘customer’ you did the right thing
• It is, however, an enabler

27. © 2016 IBM Corporation 27
Community History

28. © 2016 IBM Corporation 28
Community History
• May 2015 – discussion starts
• https://github.com/nodejs/node-v0.x-archive/issues/25463
• Jun 2015 – PR 1890

29. © 2016 IBM Corporation 29
Community History
• Nov 2015 – Issue 3760
• PRs 3752, 3753, 3754,
3755, 3756, 3757, 3758,3759
• Added to community CI

30. © 2016 IBM Corporation 30
Community History
• Dec 2015 – NPM cleanup
• Feb 2016 – Command Line Improvement

31. © 2016 IBM Corporation 31
API and runtime options (v6.x)

32. © 2016 IBM Corporation 32
API and runtime options (v6.x)
• Command Line:
• --enable-fips
• --force-fips
• API
• -crypto.fips
• OpenSSL Config file
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes

33. © 2016 IBM Corporation 33
API and runtime options (v6.x)
• Force prevents
change

34. © 2016 IBM Corporation 34
API and runtime options (v6.x)
• You need to be
state aware
• Error if already
enabled

35. © 2016 IBM Corporation 35
Validating you have right version

36. © 2016 IBM Corporation
36
Gotchas

37. © 2016 IBM Corporation
37
Gotchas
• Existing code may no longer run
© 2016 IBM Corporation

38. OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout httpd.key.pem -
out httpd.crt.pem -days XXX
• Certificates and keys
• Generation
• Only use FIPs algorithms
• Generate with FIPs module
© 2016 IBM Corporation
38
Gotchas
const options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
};

39. Bluemix Example
© 2016 IBM Corporation
39

40. cf set-env
FIPS_MODE true
Try it on
out on
Bluemix

44. Express Example
© 2016 IBM Corporation
44

45. Express Example
© 2016 IBM Corporation
45

46. Express Example
© 2016 IBM Corporation
46

47. © 2016 IBM Corporation 47
Summary
• Node.js quick intro
• FIPS 140-2 intro
• OpenSSL integration
• Community History
• Command Line Options
• Gotchas – What to look out for
• Bluemix Example
• Express Example

48. Michael Dawson
Thank you very much.
IBM
Runtime Technologies
michael_dawson@ca.ibm.com
© 2016 IBM Corporation 48

49. © 2016 IBM Corporation 49
Your feedback is valuable
Please complete your session or lab evaluation!
Session number [A294]
Provide your evaluations by:
Evaluation forms:
Fill out a form at the end of each session
Paper forms are located in each of the
session or lab rooms
Complete the session survey on Event
Connect Portal:
https://portal.ibmeventconnect.com/ma
drid2016
Select Sessions, then Session Finder, and
complete the survey
- Or -

50. IBMTA16
Twitter
@IBMCloud | @IBMWebSphere
LinkedIn
IBM Cloud
YouTube
IBM Cloud | IBM WebSphere
Facebook
IBM Cloud
ibmcloud
Facebook Event Page
IBM Techical Academy 2016
websphere

51. Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission
from IBM.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED
"AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS
INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and
services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers
have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in
which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and
interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such
laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

52. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not
tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT
NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™,
FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand,
ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®,
PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®,
StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®, X-Force® and System z® Z/OS, are trademarks of International
Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
• Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
• Java, JavaScript and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
• npm is a trademark of npm, Inc.