Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Utilize FIPS-validated cryptographic modules #4145

Open
7 tasks
georgedias opened this issue Mar 2, 2023 · 3 comments · May be fixed by #4850
Open
7 tasks

Utilize FIPS-validated cryptographic modules #4145

georgedias opened this issue Mar 2, 2023 · 3 comments · May be fixed by #4850
Labels
security Pull requests that address a security vulnerability

Comments

@georgedias
Copy link
Contributor

georgedias commented Mar 2, 2023
edited by em-c-rod

All encryption must be accomplished utilizing a FIPS 140-2 compliant modules:

Rule Title Vul ID Severity
  • The application must utilize FIPS-validated cryptographic modules when signing application components
    		•  V-222570 CAT II (Medium)
  • The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes
    		•  V-222571 CAT II (Medium)
  • The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection
    		•  V-222572 CAT II (Medium)
  • The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality
    		•  V-222583 CAT II (Medium)

    References: Application Security and Development Security Technical Implementation Guide :: Version 5, Release: 2 Benchmark Date: 27 Oct 2022

    • Heimdall Server uses bcryptjs for encryption/hashing, which at this time is NOT FIPS 140-2 compliant.

    • The bcryptjs npm module is used to generate encryption key. It makes use of cryptographic salt to ensure keys and passwords are uniquely encrypted. In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers.

    • Build Heimdall on a host OS that has FIPS turned on (Ubuntu with FIPS enabled) - look at ubuntu advanced from AWS or Canonical - reference https://canonical.com/blog/how-to-develop-linux-applications-for-fips-on-ubuntu. Create a development machine with FIPS enabled. Example: https://github.com/valentincanonical/ubuntu-ua-fips-nginx-example

    • Replace or conditionally use bycrypt library

    • Create a process to configure FIPS in Heimdall so it can be run with or without FIPS enabled
    @georgedias georgedias added the security Pull requests that address a security vulnerability label Mar 2, 2023
    @Amndeep7
    Copy link
    Contributor

    Amndeep7 commented Jul 12, 2023
    edited

    [aws (s3), splunk, tenable] = load data areas, [github, okta, oidc, 'passport', etc] = log in, [axios, seqeulize] = calls between db+backend+frontend, [operating system, docker, nodejs, browser, db, nginx] = deployment environment, [bcrypt] = password/api key generation

    @Amndeep7
    Copy link
    Contributor

    Amndeep7 commented Jul 12, 2023
    edited

    what is the request? is it 'fips enabled heimdall' or is it 'fips enabled deployment of heimdall'?

    @Amndeep7
    Copy link
    Contributor

    going to need to figure out how to a) run postgres in fips compliant mode and b) use libraries that can interface with it while fips compliant. OR we're gonna need to swap out DB's entirely.

    heimdall2-server-1    | DOMException [NotSupportedError]: Unrecognized name.
heimdall2-server-1    |     at new DOMException (node:internal/per_context/domexception:53:5)
heimdall2-server-1    |     at __node_internal_ (node:internal/util:505:10)
heimdall2-server-1    |     at normalizeAlgorithm (node:internal/crypto/util:212:15)
heimdall2-server-1    |     at SubtleCrypto.asyncDigest (node:internal/crypto/hash:171:15)
heimdall2-server-1    |     at SubtleCrypto.digest (node:internal/crypto/webcrypto:76:10)
heimdall2-server-1    |     at md5 (/app/apps/backend/node_modules/pg/lib/crypto/utils-webcrypto.js:41:37)
heimdall2-server-1    |     at Object.postgresMd5PasswordHash (/app/apps/backend/node_modules/pg/lib/crypto/utils-webcrypto.js:50:21)
heimdall2-server-1    |     at /app/apps/backend/node_modules/pg/lib/client.js:251:45
heimdall2-server-1    |     at Client._checkPgPass (/app/apps/backend/node_modules/pg/lib/client.js:226:7)
heimdall2-server-1    |     at Client._handleAuthMD5Password (/app/apps/backend/node_modules/pg/lib/client.js:249:10)
heimdall2-server-1    | Emitted 'error' event on Client instance at:
heimdall2-server-1    |     at /app/apps/backend/node_modules/pg/lib/client.js:254:14
heimdall2-server-1    |     at processTicksAndRejections (node:internal/process/task_queues:96:5)

    @Amndeep7 Amndeep7 linked a pull request Aug 22, 2023 that will close this issue
    Draft
    23 tasks
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    security Pull requests that address a security vulnerability
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging a pull request may close this issue.

    Fips compliance mitre/heimdall2
    2 participants
    @Amndeep7 @georgedias