FIPS compliance should be used when the customer demands FIPS compliance, and at no other time. It does not make your software more secure. The federal government has many reasons for its Information Processing Standards, and actual security isn't high up the list.
That is backwards. NIST FIPS, especially FIPS 140, are explicitly security standards for cryptographic modules. They exist to define and validate security requirements and to give agencies a security metric for procurement. Security is central to the standard even if buyers also use it for compliance and contracting.
And when has FIPS certification made a product more secure than the non-certified version? By which I mean, give examples of actual cases in which hackers were stopped by the expensive FIPS-certified version but not by the equivalent non-certified one.
Not really the right question. FIPS doesn’t stop ‘hackers’ like a forcefield. It’s a validated baseline for crypto modules (RNGs, key handling, approved modes, self-tests). The security win is fewer crypto footguns and more assurance, not a dramatic war story.
It's exactly the right question, "what (demonstrable) value are you getting from this?". Having been through several FIPS certifications I can say that it added nothing to the security of the product, in fact if anything it reduced the security because of all the silly-walk stuff that had to be added. In particular the algorithm certs are essentially worthless because if you get (say) AES wrong you'll find that out the very first time you use it, with or without a NIST algorithm cert, and beyond that for level 1 which is what 99% of products go for it's mostly a paperwork-production exercise and the aforementioned silly-walk code changes.
About 30+ years ago it was somewhat useful for keeping out the homebrew snake-oil crypto that was common at the time, but since you can find (again as an example) AES code in the implementation language of your choice and license of your choice within seconds that's not been an issue for some time.
Fair. Level 1 can be heavy on paperwork, and compliance code can add complexity. But ‘algorithm certs are worthless’ is overstated: lots of crypto failures are silent misuse (modes/nonces/RNG/key handling), not ‘AES won’t decrypt.’ FIPS isn’t a magic shield, it’s a baseline control. Whether it’s net-positive depends on how much it slows upgrades and how disciplined the team already is.
Absolutely. It allows you to check the box that says "must be FIPS certified", and that's it. Now I'm not saying that doesn't add value, but it's not adding any security.
> FIPS compliance is a great idea that makes the entire software supply chain safer
Yes, gotta implement that Dual_EC_DRBG compatibility.
FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent. It's also significantly worse advice than simple "implement decent modern crypto", you can do all kinds of really bizarre stuff and still be FIPS compliant.
>FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent.
I counter about the benefits of FIPS. If you don't do it, you don't get paid by the government for whatever contract you have. Many people find getting paid to be beneficial.
Now, it's not the vast majority of applications, but I'm sure there are a significant number of developers on HN that are working on applications that need to meet FedRamp requirements and posts like this point out potential pitfalls on what needs enabled.
Not much different when dealing with stuff like STIGs. A large number of them are highly questionable and may only apply to very specific applications, yet you see barely trained button pushers saying you need to follow them. If you're aware of them when writing your application it will save a bunch of implementation headaches when it ends up in the field.
>I counter about the benefits of FIPS. If you don't do it, you don't get paid by the government for whatever contract you have. Many people find getting paid to be beneficial.
I absolutely agree, but the OP does speak about making "the entire software supply chain safer" which is far from true.
Yeah, the first line was intended as a joke. I didn't communicate it very well though.
I think the problem with FIPS can be summed up very well as "it doesn't require you to implement good crypto", which makes it pointless and almost certainly harmful.
FIPS validates the crypto library, not your app design. It can still be a security upgrade for the crypto boundary, but you can build insecure stuff on top of it. The harm is when people treat “FIPS mode” as a magic security badge.
It's not in fact a security upgrade for your crypto library. It might have been in 1992 when people were still building products based on hand-rolled polyalphabetic substitution ciphers, but that era ended before 2000.
FIPS 140 doesn’t prove ‘no bugs’, but it’s not meaningless either. It enforces a baseline around approved algorithms, RNG, key handling, self-tests, and module integrity. You can still misuse crypto or have non-crypto bugs, but ‘utterly broken and still FIPS’ is mostly rhetoric.
Are you in a contractual relationship with the federal government that involves handling federal data?
Alternatively, do you deal with HIPAA PHI (FIPS is—unless an update since the last time I checked has changed this—part of the HITECH Act guidance specification of whether PHI is secured or unsecured, and so is a factor in whether, legally, a breach has occurred.)
Approval involves an assessment of security features, but it doesn’t change them, so the approval itself doesn't not have security value. Using it as part of a filter before choosing a solution may have efficiency benefits, though (assuming you are doing your own security assessment that has non-zero cost after the filter.)
I think we just fundamentally disagree about the quality of the “assessment” FIPS is doing.
Choosing to use FIPS is basically choosing to tether yourself to the finest decision-making that government agencies could muster based on the technology that existed decades ago.
You’re choosing to ride a horse to work because somebody whacked an “approved” brand on it. I’m sure it’s a very reliable horse, but unless somebody is paying me a lot of money to hold the reins, I’m going to opt to use the advances we’ve made as an industry since then
> I think we just fundamentally disagree about the quality of the “assessment” FIPS is doing.
I haven't said anything about the quality of the assessment done as part of FIPS approval. I think you are straining for things to disagree with.
> Choosing to use FIPS is basically choosing to tether yourself to the finest decision-making that government agencies could muster based on the technology that existed decades ago.
The current FIPS encryption standards and criteria were not decided decades ago, or based on technology adopted decades ago (FIPS 140-3 is 2019, SP 800-40 is 2023, etc.)
Beyond the basic idea of “Let’s have NIST establish standards in this area”, almost nothing is from “decades ago”.
I've run into this with Python manylinux wheels too. They bundle their own libraries for portability, so you often bypass the host OpenSSL entirely without realizing it. The fix is usually passing --no-binary to pip to force it to link against the system libraries.
FIPS is what happens when idiots get promoted and start reading too much LinkedIn CISO slop.
If a customer demands FIPS compliance charge them out the ass for it. Its not inherently secure, it requires in some cases massive re-engineering of product and toolchains, and mostly seems to be an ask from clueless deep pocketed Fortune 500 companies looking to minimize liability claims after a breach by being able to point at their FIPS compliance.
FIPS is ancient and dates from the era when encryption was unusual and rare. That is why some of it seems so arcane. FIPS 140 didnt even allow software encryption until 140-3, 140-2 required a hardware secure enclave.
Definitely false, at least historically. The original FIPS only required HW at levels 3 and 4, "required" in the sense that levels 1 and 2 were quite doable in software (level was/is no authentication to the CM, letting it be protected by the host; level 2 was/is a form of basic authentication, e.g., encrypting private keys under a key derived from a password).
I was part of a team that had multiple level 1 and 2 certificates for software-only CMs in the 1990s, both 140 and the second edition, 140-1.
The current FIPS-approved OpenSSL module was released in 2023. FIPS compliance does not even allow security patches to address issues.
In my opinion, FIPS compliance is bad security practice and I suspect if a government agency called you on not meeting it, the justification of patching to address known vulnerabilities should hold up to scrutiny.
No, you can release another version but it needs to go through the testing and compliance regime which costs money and time.
This is the same as certifying an aircraft as airworthy. You can’t build another aircraft and say it is airworthy because the one you just built is airworthy too
I know what aircraft you are pointing to (MAX) and new airworthiness compliance measures for all new and existing aircraft are a result of what happened with Boeing
FIPS compliance should be used when the customer demands FIPS compliance, and at no other time. It does not make your software more secure. The federal government has many reasons for its Information Processing Standards, and actual security isn't high up the list.
That is backwards. NIST FIPS, especially FIPS 140, are explicitly security standards for cryptographic modules. They exist to define and validate security requirements and to give agencies a security metric for procurement. Security is central to the standard even if buyers also use it for compliance and contracting.
And when has FIPS certification made a product more secure than the non-certified version? By which I mean, give examples of actual cases in which hackers were stopped by the expensive FIPS-certified version but not by the equivalent non-certified one.
Not really the right question. FIPS doesn’t stop ‘hackers’ like a forcefield. It’s a validated baseline for crypto modules (RNGs, key handling, approved modes, self-tests). The security win is fewer crypto footguns and more assurance, not a dramatic war story.
It's exactly the right question, "what (demonstrable) value are you getting from this?". Having been through several FIPS certifications I can say that it added nothing to the security of the product, in fact if anything it reduced the security because of all the silly-walk stuff that had to be added. In particular the algorithm certs are essentially worthless because if you get (say) AES wrong you'll find that out the very first time you use it, with or without a NIST algorithm cert, and beyond that for level 1 which is what 99% of products go for it's mostly a paperwork-production exercise and the aforementioned silly-walk code changes.
About 30+ years ago it was somewhat useful for keeping out the homebrew snake-oil crypto that was common at the time, but since you can find (again as an example) AES code in the implementation language of your choice and license of your choice within seconds that's not been an issue for some time.
Fair. Level 1 can be heavy on paperwork, and compliance code can add complexity. But ‘algorithm certs are worthless’ is overstated: lots of crypto failures are silent misuse (modes/nonces/RNG/key handling), not ‘AES won’t decrypt.’ FIPS isn’t a magic shield, it’s a baseline control. Whether it’s net-positive depends on how much it slows upgrades and how disciplined the team already is.
Absolutely. It allows you to check the box that says "must be FIPS certified", and that's it. Now I'm not saying that doesn't add value, but it's not adding any security.
> FIPS compliance is a great idea that makes the entire software supply chain safer
Yes, gotta implement that Dual_EC_DRBG compatibility.
FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent. It's also significantly worse advice than simple "implement decent modern crypto", you can do all kinds of really bizarre stuff and still be FIPS compliant.
>FIPS compliance is not a great idea, the benefits are questionable and possibly nonexistent.
I counter about the benefits of FIPS. If you don't do it, you don't get paid by the government for whatever contract you have. Many people find getting paid to be beneficial.
Now, it's not the vast majority of applications, but I'm sure there are a significant number of developers on HN that are working on applications that need to meet FedRamp requirements and posts like this point out potential pitfalls on what needs enabled.
Not much different when dealing with stuff like STIGs. A large number of them are highly questionable and may only apply to very specific applications, yet you see barely trained button pushers saying you need to follow them. If you're aware of them when writing your application it will save a bunch of implementation headaches when it ends up in the field.
>I counter about the benefits of FIPS. If you don't do it, you don't get paid by the government for whatever contract you have. Many people find getting paid to be beneficial.
I absolutely agree, but the OP does speak about making "the entire software supply chain safer" which is far from true.
You can always waiver STIGs based on business or mission critical needs. You add it to your POA&M and/or SSP.
Not the entire RHEL STIG mind you but parts of it
Oh yeah, I know, but God getting exceptions is a pain in the ass.
I don't like FIPS and think people should avoid FIPS-compliance projects but FIPS doesn't require you to implement Dual EC.
Yeah, the first line was intended as a joke. I didn't communicate it very well though.
I think the problem with FIPS can be summed up very well as "it doesn't require you to implement good crypto", which makes it pointless and almost certainly harmful.
FIPS validates the crypto library, not your app design. It can still be a security upgrade for the crypto boundary, but you can build insecure stuff on top of it. The harm is when people treat “FIPS mode” as a magic security badge.
It's not in fact a security upgrade for your crypto library. It might have been in 1992 when people were still building products based on hand-rolled polyalphabetic substitution ciphers, but that era ended before 2000.
You can have an utterly broken crypto library that's FIPS compliant.
FIPS would be great if it actually explicitly required you to do things correctly, it does not.
FIPS 140 doesn’t prove ‘no bugs’, but it’s not meaningless either. It enforces a baseline around approved algorithms, RNG, key handling, self-tests, and module integrity. You can still misuse crypto or have non-crypto bugs, but ‘utterly broken and still FIPS’ is mostly rhetoric.
Why do I care if an algorithm is “approved”.
Are you in a contractual relationship with the federal government that involves handling federal data?
Alternatively, do you deal with HIPAA PHI (FIPS is—unless an update since the last time I checked has changed this—part of the HITECH Act guidance specification of whether PHI is secured or unsecured, and so is a factor in whether, legally, a breach has occurred.)
So I only care about it being approved if my customers are stipulating it; there’s not an inherent security value in “approved” algorithms?
Approval involves an assessment of security features, but it doesn’t change them, so the approval itself doesn't not have security value. Using it as part of a filter before choosing a solution may have efficiency benefits, though (assuming you are doing your own security assessment that has non-zero cost after the filter.)
I think we just fundamentally disagree about the quality of the “assessment” FIPS is doing.
Choosing to use FIPS is basically choosing to tether yourself to the finest decision-making that government agencies could muster based on the technology that existed decades ago.
You’re choosing to ride a horse to work because somebody whacked an “approved” brand on it. I’m sure it’s a very reliable horse, but unless somebody is paying me a lot of money to hold the reins, I’m going to opt to use the advances we’ve made as an industry since then
> I think we just fundamentally disagree about the quality of the “assessment” FIPS is doing.
I haven't said anything about the quality of the assessment done as part of FIPS approval. I think you are straining for things to disagree with.
> Choosing to use FIPS is basically choosing to tether yourself to the finest decision-making that government agencies could muster based on the technology that existed decades ago.
The current FIPS encryption standards and criteria were not decided decades ago, or based on technology adopted decades ago (FIPS 140-3 is 2019, SP 800-40 is 2023, etc.)
Beyond the basic idea of “Let’s have NIST establish standards in this area”, almost nothing is from “decades ago”.
I've run into this with Python manylinux wheels too. They bundle their own libraries for portability, so you often bypass the host OpenSSL entirely without realizing it. The fix is usually passing --no-binary to pip to force it to link against the system libraries.
FIPS is what happens when idiots get promoted and start reading too much LinkedIn CISO slop.
If a customer demands FIPS compliance charge them out the ass for it. Its not inherently secure, it requires in some cases massive re-engineering of product and toolchains, and mostly seems to be an ask from clueless deep pocketed Fortune 500 companies looking to minimize liability claims after a breach by being able to point at their FIPS compliance.
FIPS is ancient and dates from the era when encryption was unusual and rare. That is why some of it seems so arcane. FIPS 140 didnt even allow software encryption until 140-3, 140-2 required a hardware secure enclave.
Definitely false, at least historically. The original FIPS only required HW at levels 3 and 4, "required" in the sense that levels 1 and 2 were quite doable in software (level was/is no authentication to the CM, letting it be protected by the host; level 2 was/is a form of basic authentication, e.g., encrypting private keys under a key derived from a password).
I was part of a team that had multiple level 1 and 2 certificates for software-only CMs in the 1990s, both 140 and the second edition, 140-1.
[dead]
The current FIPS-approved OpenSSL module was released in 2023. FIPS compliance does not even allow security patches to address issues.
In my opinion, FIPS compliance is bad security practice and I suspect if a government agency called you on not meeting it, the justification of patching to address known vulnerabilities should hold up to scrutiny.
No, you can release another version but it needs to go through the testing and compliance regime which costs money and time.
This is the same as certifying an aircraft as airworthy. You can’t build another aircraft and say it is airworthy because the one you just built is airworthy too
Clearly Boeing has proven that aircraft certification is much easier to bypass than FIPS certification.
I know what aircraft you are pointing to (MAX) and new airworthiness compliance measures for all new and existing aircraft are a result of what happened with Boeing