FIPS comes to Node.js
Michael Dawson, IBM
About Michael Dawson
Loves the web and building software (with Node.js!)
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
1000110101010010010101010101010101010101010000111000101101001013
Why do we care ?
 Cryptography is an important Tool
 Provides a way to evaluate modules
 May be contract requirement !
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
 Federal Information Processing Standard (FIPS)
– Publication 140-2
 US government security standard for cryptographic modules
–Co-developed with Canadian CSE (Communications security
establishment)
 Independent Labs do evaluation
4
What is it ?
https://en.wikipedia.org/wiki/FIPS_140-2
 https://www.openssl.org/
 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747
5
Node Leverages OpenSSL Validation
 Security Policy (36 pages)
–https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
 User Guide (221 pages)
–https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
 Trusted Path Requirement
 User Affirmation
6
Security Policy and User Guide
7
Integration
fipscanister.o
OpenSSL/
libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {
…
} else {
// indicate error
}
Linux only so far
8
https://github.com/nodejs/node/blob/master/BUILDING.md
 Just using FIPs capable Node.js is not enough
 You have to use correctly
 Demonstrate to ‘customer’ you did the right thing
 It is, however, an enabler
9
Application compliance
 May 2015 – discussion starts
–https://github.com/nodejs/node-v0.x-archive/issues/25463
 Jun 2015 –PR 1890
 Nov 2015 - Issue 3760
–PRs 3752, 3753, 3754, 3755,
3756, 3757, 3758, 3759
–Added to community CI
10
Community History
 Dec 2015 - NPM cleanup
 Feb 2016 - Command Line improvement
11
Community History
 Command Line:
--enable-fips
--force-fips
 API
–crypto.fips
 OpenSSL Config file
12
New API and runtime options (v6.x)
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes
13
Validating you have the right version
14
Existing code may no
Longer run
 Certificates – only use FIPs algorithms
15
Certificate Generation
OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout
httpd.key.pem -out httpd.crt.pem -days XXX
16
Try it
out on
Bluemix
cf set-env
FIPS_MODE true
TM
17
18
Copyrights and Trademarks
© IBM Corporation 2016. All Rights Reserved
IBM, the IBM logo, ibm.com are trademarks or registered
trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally
related to or endorsed by the official Joyent Node.js open source or
commercial project.
Java, JavaScript and all Java-based trademarks and logos are trademarks or
registered trademarks of Oracle and/or its affiliates.

Node fips