3

The question is pretty simple, is it possible to create a FIPS 140-2 compliant server in Perl? Especially, is it possible without modifying any of the C code for the modules? If it's not possible in straight Perl, what would be the easiest way to go about it from a C perspective?

I'm basically creating a mini-httpd that only serves up a single file, but due to security restrictions it needs to be served up on SSL under FIPS compliance.

rook
  • 66,304
  • 38
  • 162
  • 239
Nayruden
  • 205
  • 3
  • 10
  • A link to something describing what is "compliant" would be helpful, since I bet most readers are not familiar with this certification. – Ether Jun 14 '10 at 20:32
  • 1
    I am totally unware about it; searching found [wikipedia](http://en.wikipedia.org/wiki/FIPS_140-2) as almost first, which is a starting point (not the best maybe, but to have an idea is ok...) – ShinTakezou Jun 14 '10 at 20:40
  • I'm not entirely certain what it is myself, Wikipedia about sums up my knowledge of the compliance as well. – Nayruden Jun 14 '10 at 21:46

2 Answers2

4

I don't know all of the rules when it comes to FIPS 140-2. However, unlike HIPAA and PCI-DSS its a standard that governs the strength of cryptography and doesn't take the system as a whole into consideration. Parts of OpenSSL can be FIPS 140-2 compliant and this library is exposed to perl via the Crypt::OpenSSL module. You just have to make sure your key size is large enough for the level of FIPS certification you need and that you don't violate a one of the many Cryptographic Issues.

rook
  • 66,304
  • 38
  • 162
  • 239
  • 5
    No! OpenSSL itself is ***not*** FIPS-approved, and never will be. The OpenSSL FIPS Object Module exists, and is FIPS-certified. See http://www.openssl.org/docs/fips/fipsnotes.html to open **that** can of worms. –  Jun 14 '10 at 20:45
  • Thank. I'm still not sure that the FIPS-compliant library is going to be exposed via Crypt::OpenSSL by default, though. You might have to check what it's linked against, and maybe go into the guts of the module to invoke startuppy stuff. –  Jun 14 '10 at 21:18
  • Thanks, I'll research more into this option. – Nayruden Jun 14 '10 at 21:45
1

Take a look at Mozilla's FIPS strategy. Triple DES is most likely to be Open Source. I am unaware of any certified FIPS 140-2 solutions in Perl.

Most implementation approvals are very restrictive, such as being on a certain hardware platform, CPU, and OS version. If you are on one of those platforms, you can often piggyback on the OS approval, such as Windows 7, Redhat, etc.

dawg
  • 98,345
  • 23
  • 131
  • 206