The document discusses FIPS (Federal Information Processing Standard) compliance within the Node.js environment, specifically focusing on cryptographic modules and their relevance to software developers. It highlights the importance of using FIPS-compliant APIs and includes historical context regarding the community discussions and changes in Node.js pertaining to FIPS since 2015. Additionally, the document outlines the integration process and requirements for utilizing FIPS in applications built with Node.js.

1. FIPS comes to Node.js
Michael Dawson, IBM

2. About Michael Dawson
Loves the web and building software (with Node.js!)
Senior Software Developer @ IBM
IBM Runtime Technologies Node.js Technical Lead
Node.js collaborator and CTC member
Active in LTS, build, benchmarking , api
and post-mortem working groups
Contact me:
michael_dawson@ca.ibm.com
Twitter: @mhdawson1
https://www.linkedin.com/in/michael-dawson-6051282

3. 100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
1000110101010010010101010101010101010101010000111000101101001013
Why do we care ?
 Cryptography is an important Tool
 Provides a way to evaluate modules
 May be contract requirement !

4. 100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
100011010101001001010101010101010101010101000011100010110100101
 Federal Information Processing Standard (FIPS)
– Publication 140-2
 US government security standard for cryptographic modules
–Co-developed with Canadian CSE (Communications security
establishment)
 Independent Labs do evaluation
4
What is it ?
https://en.wikipedia.org/wiki/FIPS_140-2

5.  https://www.openssl.org/
 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-
all.htm#1747
5
Node Leverages OpenSSL Validation

6.  Security Policy (36 pages)
–https://www.openssl.org/docs/fips/SecurityPolicy-2.0.9.pdf
 User Guide (221 pages)
–https://www.openssl.org/docs/fips/UserGuide-2.0.pdf
 Trusted Path Requirement
 User Affirmation
6
Security Policy and User Guide

7. 7
Integration
fipscanister.o
OpenSSL/
libcrypto.a
$(OPENSSLDIR)/fips/fipsld –o ….
If (FIPS_mode_set(1)) {
…
} else {
// indicate error
}
Linux only so far

8. 8
https://github.com/nodejs/node/blob/master/BUILDING.md

9.  Just using FIPs capable Node.js is not enough
 You have to use correctly
 Demonstrate to ‘customer’ you did the right thing
 It is, however, an enabler
9
Application compliance

10.  May 2015 – discussion starts
–https://github.com/nodejs/node-v0.x-archive/issues/25463
 Jun 2015 –PR 1890
 Nov 2015 - Issue 3760
–PRs 3752, 3753, 3754, 3755,
3756, 3757, 3758, 3759
–Added to community CI
10
Community History

11.  Dec 2015 - NPM cleanup
 Feb 2016 - Command Line improvement
11
Community History

12.  Command Line:
--enable-fips
--force-fips
 API
–crypto.fips
 OpenSSL Config file
12
New API and runtime options (v6.x)
[ evp_sect ]
# Set to "yes" to enter FIPS mode if supported
fips_mode = yes

13. 13
Validating you have the right version

14. 14
Existing code may no
Longer run

15.  Certificates – only use FIPs algorithms
15
Certificate Generation
OPENSSL_FIPS=1 openssl req -x509 -newkey rsa:2048 -keyout
httpd.key.pem -out httpd.crt.pem -days XXX

16. 16
Try it
out on
Bluemix
cf set-env
FIPS_MODE true
TM

17. 17

18. 18

19. Copyrights and Trademarks
© IBM Corporation 2016. All Rights Reserved
IBM, the IBM logo, ibm.com are trademarks or registered
trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml
Node.js is an official trademark of Joyent. IBM SDK for Node.js is not formally
related to or endorsed by the official Joyent Node.js open source or
commercial project.
Java, JavaScript and all Java-based trademarks and logos are trademarks or
registered trademarks of Oracle and/or its affiliates.