FIPS - Federal Information Processing Standard
Understanding FIPS Standards
What is FIPS 140-2?
Keeping sensitive data, such as Personally Identifiable Information (PII), secure in every stage of its life is an important task for any organization. To simplify this process, standards, regulations, and best practices were created to better protect data. The Federal Information Protection Standard, or FIPS, is one of these standards. These standards were created by the National Institute of Science and Technology (NIST) to protect government data, and ensure those working with the government comply with certain safety standards before they have access to data.
Why FIPS 140-2 --> Any organization that works with the U.S. Federal government must comply with this standard
Federal Information Processing Standard (FIPS) 140 is a security implementation that is designed for certifying cryptographic software
FIPS is so important ?
The main organizations that are required to be FIPS 140-2 compliant are federal government organizations that either collect, store, share, transfer, or disseminate sensitive data, such as Personally Identifiable Information. All federal agencies, their contractors, and service providers must all be compliant with FIPS as well. Additionally, any systems deployed in a federal environment must also be FIPS 140-2 compliant. This includes the encryption systems utilized by Cloud Service Providers (CSPs), computer solutions, software, and other related systems. This means only those services, devices, and software that are FIPS compliant can even be considered for use by the federal government, which is one of the reasons so many technology companies want to ensure they are FIPS 140-2 compliant.
How it is related to Go for a developer ?
By default, applications written in Go use cryptographic functions from the Go standard library, which is not FIPS-validated
https://pkg.go.dev/github.com/minio/minio/internal/fips
there are two options for us:
BoringSSL based crypto. RedHat go toolchain.
Package fips provides functionality to configure cryptographic implementations compliant with FIPS 140.
FIPS 140 1 is a US standard for data processing that specifies requirements for cryptographic modules. Software that is "FIPS 140 compliant" must use approved cryptographic primitives only and that are implemented by a FIPS 140 certified cryptographic module.
So, FIPS 140 requires that a certified implementation of e.g. AES is used to implement more high-level cryptographic protocols. It does not require any specific security criteria for those high-level protocols. FIPS 140 focuses only on the implementation and usage of the most low-level cryptographic building blocks.
If the entire product has not been tested and approved as FIPS validated, that means the product is only FIPS compliant.
Any organization that works with the U.S. Federal government must comply with this standard , All products must submit a Security Policy that outlines what the module is and how it complies with FIPS.
Thanks for Reading this
Subscribe to my newsletter
Read articles from Ashok Vanga directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ashok Vanga
Ashok Vanga
Golang Developer and Blockchain certified professional