Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Lech Sandecki
on 1 April 2020

FIPS 140-2 is a set of publicly announced cryptographic standards developed by the National Institute of Standards and Technology. It is an essential part of FEDRamp requirements for many governmental agencies in the US and Canada, as well as their business partners from all around the world. Furthermore, as a well established and verified security standard, an increasing number of large companies and financial institutions are asking for FIPS compliance. 

Yet, FIPS certification process introduces challenges that could impact your security. Ubuntu lets you choose the way to implement FIPS-certified cryptographic modules with two distinct FIPS alternatives to choose from to overcome those challenges.

FIPS 140-2 certification vs CVE patching

FIPS 140-2 is a great way to assure that the best practices in cryptography are met. The rules that each organisation needs to follow to achieve the FIPS 140-2 certification are very strict. Each component needs to be designed, documented, tested and then validated by the NIST Testing Laboratory. Once a component becomes certified, it cannot be further modified without requiring a re-certification. This individual module validation can take weeks, and so the overall process can easily stretch to over 6 months. 

The apparent drawback of that situation appears when a new security patch becomes available. 

Imagine that a new critical CVE (Common Vulnerability and Exposure) was discovered in the OpenSSH module, but thankfully there is a USN (Ubuntu Security Notice) available to fix it. With a security fix applied  – the module will change and hence will no longer be certified; without it – the module’s security can be compromised by an exploitable vulnerability. 

FIPS Certified or FIPS Compliant

You might be wondering which Ubuntu FIPS version should be used in your organisation. That depends. If you work for a federal government department that collects, stores, transfers and shares sensitive but unclassified information, it’s likely that you’re required to use FIPS Certified modules without any modifications. In other cases – we recommend using FIPS Certified modules that include all security patches. We call it Ubuntu FIPS Compliant

Maintaining FIPS Certified modules security

To keep your FIPS Certified Ubuntu secure we will re-certify all modules every year.

Today, Ubuntu 18.04 LTS and 16.04 LTS has certifications for 5 distinct modules:  

Ubuntu 18.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.15.03647
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.1.13622
OpenSSH clientSSH server application for operating systems7.9p13633
OpenSSH serverSSH client application for operating systems7.9p13632
StrongSWANIPSec based VPN solution library5.6.23648

Ubuntu 16.04 LTS

ComponentDescriptionVersionCMVP Certificate
Linux kernel (generic)The Linux kernel cryptographic library4.4.0.10022962
OpenSSLGeneral purpose cryptographic library that includes TLS implementation1.0.2g2888
OpenSSH clientSSH client application for operating systems7.2p22907
OpenSSH serverSSH server application for operating systems7.2p22906
StrongSWANIPSec based VPN solution library5.3.52978

Start using FIPS 140-2 and other Ubuntu security products  

Both Ubuntu FIPS-certified and Ubuntu FIPS-compliant modules are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year. Check out the full list of Ubuntu security certifications and hardening standards.

Related posts

Henry Coggill
7 December 2023

Ubuntu 22.04 FIPS 140-3 modules available for preview

FIPS Article

Canonical has been working with our testing lab partner, atsec information security, to prepare the cryptographic modules in Ubuntu 22.04 LTS (Jammy Jellyfish) for certification with NIST under the new FIPS 140-3 standard. The modules passed all of atsec’s algorithm validation tests and are in the queue awaiting NIST’s approval. We can’t ...

Lech Sandecki
3 October 2023

Zenbleed vulnerability fix for Ubuntu

Cloud and server Article

On 24 July 2023, security researchers from Google’s Information Security Engineering team disclosed a hardware vulnerability affecting AMD’s Zen 2 family of microprocessors. They dubbed this vulnerability “Zenbleed” (CVE-2023-20593), evoking memories of previous vulnerabilities like HeartBleed and hinting at its possible impact. In respon ...

26 September 2023

CVE 우선순위 지정을 통한 오픈 소스 보안

Security Security

최근 연구에 따르면 엔터프라이즈 시장의 애플리케이션 중 96%가 오픈 소스 소프트웨어를 사용합니다. 오픈 소스 환경이 점점 더 세분화됨에 따라 조직에 대한 잠재적인 보안 취약점의 영향을 평가하는 작업이 엄청날 수 있습니다. 우분투는 가장 안전한 운영 체제 중 하나로 알려져 있습니다. 하지만 그 이유는 무엇일까요? 우분투 보안팀은 매일 알려진 취약점에 대해 업데이트된 소프트웨어 패키지를 수정하고 릴리스하기 때문에 ...