Lech Sandecki
on 1 April 2020
FIPS 140-2: Stay compliant and secure with Canonical
FIPS 140-2 is a set of publicly announced cryptographic standards developed by the National Institute of Standards and Technology. It is an essential part of FEDRamp requirements for many governmental agencies in the US and Canada, as well as their business partners from all around the world. Furthermore, as a well established and verified security standard, an increasing number of large companies and financial institutions are asking for FIPS compliance.
Yet, FIPS certification process introduces challenges that could impact your security. Ubuntu lets you choose the way to implement FIPS-certified cryptographic modules with two distinct FIPS alternatives to choose from to overcome those challenges.
FIPS 140-2 certification vs CVE patching
FIPS 140-2 is a great way to assure that the best practices in cryptography are met. The rules that each organisation needs to follow to achieve the FIPS 140-2 certification are very strict. Each component needs to be designed, documented, tested and then validated by the NIST Testing Laboratory. Once a component becomes certified, it cannot be further modified without requiring a re-certification. This individual module validation can take weeks, and so the overall process can easily stretch to over 6 months.
The apparent drawback of that situation appears when a new security patch becomes available.
Imagine that a new critical CVE (Common Vulnerability and Exposure) was discovered in the OpenSSH module, but thankfully there is a USN (Ubuntu Security Notice) available to fix it. With a security fix applied – the module will change and hence will no longer be certified; without it – the module’s security can be compromised by an exploitable vulnerability.
FIPS Certified or FIPS Compliant
You might be wondering which Ubuntu FIPS version should be used in your organisation. That depends. If you work for a federal government department that collects, stores, transfers and shares sensitive but unclassified information, it’s likely that you’re required to use FIPS Certified modules without any modifications. In other cases – we recommend using FIPS Certified modules that include all security patches. We call it Ubuntu FIPS Compliant.
Maintaining FIPS Certified modules security
To keep your FIPS Certified Ubuntu secure we will re-certify all modules every year.
Today, Ubuntu 18.04 LTS and 16.04 LTS has certifications for 5 distinct modules:
Ubuntu 18.04 LTS
| Component | Description | Version | CMVP Certificate |
|---|---|---|---|
| Linux kernel (generic) | The Linux kernel cryptographic library | 4.15.0 | 3647 |
| OpenSSL | General purpose cryptographic library that includes TLS implementation | 1.1.1 | 3622 |
| OpenSSH client | SSH server application for operating systems | 7.9p1 | 3633 |
| OpenSSH server | SSH client application for operating systems | 7.9p1 | 3632 |
| StrongSWAN | IPSec based VPN solution library | 5.6.2 | 3648 |
Ubuntu 16.04 LTS
| Component | Description | Version | CMVP Certificate |
|---|---|---|---|
| Linux kernel (generic) | The Linux kernel cryptographic library | 4.4.0.1002 | 2962 |
| OpenSSL | General purpose cryptographic library that includes TLS implementation | 1.0.2g | 2888 |
| OpenSSH client | SSH client application for operating systems | 7.2p2 | 2907 |
| OpenSSH server | SSH server application for operating systems | 7.2p2 | 2906 |
| StrongSWAN | IPSec based VPN solution library | 5.3.5 | 2978 |
Start using FIPS 140-2 and other Ubuntu security products
Both Ubuntu FIPS-certified and Ubuntu FIPS-compliant modules are offered under a comprehensive Ubuntu Advantage for Infrastructure package, starting at $75 per VM per year. Check out the full list of Ubuntu security certifications and hardening standards.
