Is Tomcat be made FIPS complaint ? Or changing the Crypto Provider to a FIPS complaint Provider enough ? Because When starting up it needs to invoke the self tests in FIPS mode , how can tomcat achieve this ? Is there a Tomcat Start up configuration file that can achieve this ?

asked by amin123

Since this question usually is about FIPS 140-2 ("Security"), we'll assume that is the focus of this question.

FIPS is primarily focused on Encryption and targets the development and production processes, although FIPS 140 at higher levels also includes several other security areas. FIPS certification may not be necessary in all cases. It is sometimes sufficient to be able to run Tomcat with a FIPS compliant JSSE provider. It all depends on the FIPS Level and specific requirements of the procurement. At higher levels, and in many more sensitive projects, not only does the encryption have to be FIPS compliant, but so does much of the invoking application.

There are a couple of commercial Encryption options, including ones from SpringSource that have successfully tested Tomcat 4, 5 & 6 with a FIPS certified JSSE provider on 1.5 and 1.6 JVMs.

FIPS comes in hierarchical layers, each assuming the Level below is met. These are:

• FIPS 140-2 Level 1 is the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
• FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.
• FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
• FIPS 140-2 Level 4 makes the physical security requirements more stringent, and requires robustness against environmental attacks.

Additionally, FIPS 140-2 certification covers eleven software development and production areas:

• Cryptographic module specification (what must be documented)
• Cryptographic module ports and interfaces (what information flows in and out, and how it must be segregated)
• Roles, services and authentication (who can do what with the module, and how this is checked)
• Finite state model (documentation of the high-level states the module can be in, and how transitions occur)
• Physical security (tamper evidence and resistance, and robustness against extreme environmental conditions)
• Operational environment (what sort of operating system the module uses and is used by)
• Cryptographic key management (generation, entry, output, storage and destruction of keys)
• EMI/EMC
• Self-tests (what must be tested and when, and what must be done if a test fails)
• Design assurance (what documentation must be provided to demonstrate that the module has been well designed and implemented)
• Mitigation of other attacks (if a module is designed to mitigate against, say, TEMPEST attacks then its documentation must say how)

I am not aware of anyone who has taken Tomcat through FIPS, which is an ongoing process, not an event. FIPS certification requires extensive documentation of development and test processes and must be (partially) re-done each time a new version of the software is released. At higher levels, third party (there are a VERY limited number of authorized certification agencies) auditing and certification becomes part of the process, adding additional cost and product delay.

As such, it's inherently quite costly (high hundreds of thousands of dollars to low millions each time), so it requires a very significant commitment in time and third party fees on the part of the software provider. It also dramatically slows new releases, since FIPS certification adds months to development schedules, so it's generally only appropriate for relatively static software.

.

answered by avanabs on June 16, 2011 11:49 AM

Read More