Encryption and FIPS 140-2 compliance (2191 Views)
Reply
Occasional Visitor
Ross Smith_1
Posts: 2
Registered: ‎09-13-2005
Message 1 of 11 (2,191 Views)

Encryption and FIPS 140-2 compliance

We've been told that we're required to have encryption in place that is certified as FIPS 140-2 compliant for protecting our clinical research data. Does VMS's encryption (for backup and encryption at the command line) meet that requirement?

Thanks!
Honored Contributor
Hoff
Posts: 4,958
Registered: ‎01-29-2006
Message 2 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

IIRC, AES is suitable for FIPS 140, though you'll want to ask for a statement from HP if this compliance is not already listed in the SPD.

There's a business manager inside OpenVMS that has traditionally handled Common Criteria and other issues of security standards and standards compliance.

Here's the AES (256-bit) reference for OpenVMS V8.3 encryption:

http://h18000.www1.hp.com/products/quickspecs/12551_div/12551_div.HTML

and AFAIK 256-bit AES is in the right range for FIPS 140 compliance. As for statements of compliance and verification and evaluation that aren't already included in the SPD or such, those best arrive from folks within HP and probably not from ITRC. (And I don't see FIPS 140 in the SPD.)

Alternatively, you might want to ask your own folks if products providing AES 256-bit are "good enough".

Stephen Hoffman
HoffmanLabs LLC
Honored Contributor
Jon Pinkley
Posts: 1,135
Registered: ‎02-08-2007
Message 3 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

I would recommend looking at a tape drive that has encryption build in. One example is the HP StorageWorks LTO-4 Ultrium 1840 Tape Drive. There is never a better time to ask for new hardware than when you are being requested to provide a solution to a legally mandated requirement.

One drawback is that this is a new very high performance drive, and you may have a hard time sending data to it fast enough to keep it from shoeshining. And without software to turn the encryption feature on, it will just be a latent capability.

There are many advantages to having the tape drive do the encryption. Besides offloading the necessary processing, it also does the compression prior to encryption, so the amount of media used for backups will not increase drastically. Remember that encrypted data appears random, and therefore does not effectively compress.

Have a look at

http://h18006.www1.hp.com/products/storageworks/lto4Encryp/index.html

According to the compatibility chart, the drive is supported by both 8.2 and 8.3, but not by 7.3-2. That does not mean that you will be able to take advantage of the encryption capabilities, as the feature must be turned on, keys loaded, etc. That will require that the software being used to write to tape have the knowledge needed to communicate with an IEEE 1619.1 encrypting tape drive. I know nothing about what is planned for VMS BACKUP or Data Protector.

I was a bit surprised that the drive doesn't have any USB port on the front panel that would allow a "key" to be inserted into the drive. Whether such a device exists, I don't know. I do know that we have a MICR check printer that has a hardware key (I am not sure if it is USB or some proprietary hardware), but it is part of the "something you know and something you have" two part security.

There seems to be quite a bit of discussion about whether or not the encryption built into the LTO4 drive is "FIPS 170-2" compliant or not. Google for ( "IEEE 1619.1" "FIPS 140-2" ) http://www.google.com/search?hl=en&lr=&as_qdr=all&q=%22IEEE+1619.1%22+%22FIPS+140-2%22&btnG=Search

HP's description in their marketing brochure has the vague verbiage "has the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2." But so does a notepad to keep documentation on.

Excerpt from http://www.hpstoragemedia.com/files/english/sales_tools/storage_media_sales_tools/LTO4Brochure-EEE.p...

"HP's LTO4 Ultrium cartridges have the potential to be part of wider data encryption solutions up to FIPS 140-2 level 2. The media on its own incorporates AES-256 bit key encryption (the highest level of AES) capabilities to provide greater security. HP's implementation meets the current draft of IEEE 1619.1 tape encryption standard giving you peace of mind that if a tape goes missing, the data it contains cannot fall into the wrong hands."
it depends
Honored Contributor
Jon Pinkley
Posts: 1,135
Registered: ‎02-08-2007
Message 4 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

I haven't looked into this whole topic yet at any depth, but to support an encrypting tape drive in a general way, it should be possible to somehow specify encryption at mount time, in a way similar to /media=compaction allows compression to be turned on.

Perhaps something like mount/media=(compaction,IEEE1619_1=keyoption...)

Then you might be able to use something like Save Set Manager to migrate savesets from old tapes to new, and have them encrypted on the way.

Sorry for the diversion...

Jon
it depends
Valued Contributor
Richard W Hunt
Posts: 288
Registered: ‎07-22-2003
Message 5 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

I went through a similar question with the HP Engineering team for the OVMS 7.3-2 and TCP/IP 5.4 environement. It is still not fully answered. Their "official" answer so far is that the SSL features are "ports" of FIPS 140-2 compliant implementations - so "of course" they are compliant.

My response was that "of course" has very limited meaning for the government. "Of course" works for "oh, you need to file seven more paper copies and twenty-one e-mail copies of this form." To which you say, "Of course I do..."

The bottom line from my security guys was, if it isn't directly certified, it isn't FIPS 140-2 compliant. The Federal Information Security Management Act (FISMA) of 2002 revoked statutory provisions to allow waivers of FIPS standards. The surrounding guidelines include something to the effect of saying "Unvalidated cryptography is viewed by NIST as providing no protection to the information or data" and basically counts as cleartext for the security evaluation process.

My own security folks say that despite it not being directly certified, it is possible to (as they say it) "socialize" the routines because despite FISMA 2002, there are ways to get waivers. Just more hoops to jump through. So I guess you need to discuss the issue with your security guys and see what, if anything, they have to say.

In case you were wondering, I'm at a DoD/USN site dealing with Privacy Act data for personnel-related information. So we have that FIPS-140-2 requirement, too.
Sr. Systems Janitor
Respected Contributor
Tom O'Toole
Posts: 370
Registered: ‎06-09-2004
Message 6 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance


and this process is perfectly designed to keep the revenue stream coming to the 'insiders' like billy bathgates and his gang of merry thieves. bathgatesOS is probably 'certified' this and that, and we all know how secure that is.
Can you imagine if we used PCs to manage our enterprise systems? ... oops.
Frequent Advisor
Andre Stewart
Posts: 52
Registered: ‎08-19-1997
Message 7 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

I too, am wrestling with these issues. From a software perspective, how does HP's SSH and OpenSSL tools on HP-UX (11i v.1) fare in meeting the FIPS 140-2 standards?

Would HP ever put themselves out there and go on record to un-categorically state that their tools are FIPS 140-2 compliant (esp. something that is not NonStop computing?

How does one say that the System Management Homepage is FIPS 140-2 compliant? Does it involve the installation of a certificate meeting a specific compliance?
Honored Contributor
Steven Schweda
Posts: 9,091
Registered: ‎02-23-2005
Message 8 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

> I too, [...] HP-UX (11i v.1) [...]

Why awaken a years-old thread in a VMS forum
to deal with an HP-UX question?

I know nothing, but from my limited attention
to OpenSSL stuff, I've gathered that actual
FIPS compliance (certification?) is a
non-trivial thing. It seems to require
platform-specific testing for each OpenSSL
version, which costs actual money, so some
particular vendor or victim needs to pay for
it.

> [...] you'll want to ask for a statement
> from HP [...]

I'd say that that's true in your case, too.
Frequent Advisor
Andre Stewart
Posts: 52
Registered: ‎08-19-1997
Message 9 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

You are correct. It was inappropriate to post this in the VMS forum. Forgive me.

As for awakening the thread, well, due to HSPD-12, APT, and a few other initiatives, this issue continues to be all too relevant. Meeting the compliance while continuing to provide effective, efficient, and practical services to our customers as well as keep the system administration practical is becoming a very difficult balancing act.

But your answer was perfect. Thank you. I now understand the reason why HP may not get "certifications" on every platform for every layered product and then try and maintain it going forward.

I'll also try and check within my organization to determine if any of them already have acquired a "restatement" from HP.

Again, forgive me. I'll refrain from extending this thread.
Honored Contributor
Steven Schweda
Posts: 9,091
Registered: ‎02-23-2005
Message 10 of 11 (2,191 Views)

Re: Encryption and FIPS 140-2 compliance

Note that a quick Google search for
openssl fips
leads pretty directly to:

http://www.openssl.org/docs/fips/fipsnotes.html

which explains some of the considerations
involved with OpenSSL.
Advisor
john Dite
Posts: 26
Registered: ‎06-15-2004
Message 11 of 11 (2,213 Views)

Re: Encryption and FIPS 140-2 compliance

Have you seen the article in the latest OpenVMS Technical Journal
"Data Encryption Using Archive Backup System"
http://h71000.www7.hp.com/openvms/journal/v16/data_encryption.htm

It refers to the HP StorageWorks Secure Key Manager:
http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA2-1403ENW.pdf

This includes the reference:
"The SKM is a hardened server appliance delivering secure identity-based access â administration and logging with strong auditable security designed to meet the rigorous FIPS 140-2 security standards."

John
Like a blind man in a dark room, looking for a black cat ...that isn't even there
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.