cancel
Showing results for 
Search instead for 
Did you mean: 

FIPS 140-2 in the World of Postgres

Highlighted
Community Manager

FIPS 140-2 in the World of Postgres

We've been hearing a lot of questions on FIPS 140-2 lately - so, what is it?

 

Well, the full definitions are at https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Standards, but the layman's version, which can be attributed to Wikipedia(1), is as follows...

 

What is it? - Simply - It is a program designed to validate cryptographic modules used by Federal agencies.

 

The FIPS (Federal Information Processing Standards) 140-2 validation is a result of the FIPS 140 Publication Series issued by The National Institute of Standards and Technology (NIST).  The intent was to coordinate and standardize the requirements covering cryptography modules. This includes both hardware and software components. 

 

In order to ensure confidentiality and integrity of information within a security system, a protected cryptographic module is needed. FIPS specifies the security requirements that need to be addressed and satisfied within the cryptographic module. The requirements cover both the cryptographic modules and the associated documentation and (at the highest security level) certain aspects of the comments included in the source code.  

 

There are four qualitative levels of standard, each increasing in terms of security intensity and all designed to cover a wide range of applications and environments. The security requirements focus on secure design and implementation of cryptographic modules. This includes cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.  Using validated cryptographic modules is a requirement of the US Government for all unclassified uses of cryptography and recommended by the Government of Canada in their unclassified applications.  

 

How are modules validated?

The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The CMVP provides validation that a cryptographic module conforms to the standards listed in FIPS 140-1 or FIPS 140-2.  A validation certificate identifies and confirms the specific module name, hardware, software, firmware, and/or applet version numbers. 

 

Vendors using both private or open source cryptographic modules or commercial cryptographic modules (aka hardware security module - HSM) that collect, store, share or transfer, or disseminate sensitive but unclassified (SBU) information, should ensure their modules meet the stringent criteria defined in FIPS 140 series and are fully accredited.

 

Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both US and Canada for the protection of sensitive information.  

 

EXCITING NEWS!

EnterpriseDB has fully complied with the FIPS 140-2 requirements and has completed the validation process for Windows. EDB now can offer a FIPS 140-2 compliant/certified option for Advanced Server on Windows. FIPS 140-2 can be enforced on RHEL using the RHEL OpenSSL FIPS compliant modules.

 

The CMVP certificate for EnterpriseDB can be found here: 

https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3130

 

(1)Wikipedia references: https://en.wikipedia.org/wiki/FIPS_140 and https://en.wikipedia.org/wiki/FIPS_140-2