[
https://issues.apache.org/jira/browse/HDDS-10236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
István Fajth updated HDDS-10236:
--------------------------------
Summary: Cryptography compliance with FIPS/FISMA (US regulations) (was:
Cryptography compliance with FIPS (US regulations))
> Cryptography compliance with FIPS/FISMA (US regulations)
> --------------------------------------------------------
>
> Key: HDDS-10236
> URL: https://issues.apache.org/jira/browse/HDDS-10236
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: István Fajth
> Priority: Major
>
> FIPS stands for Federal Information Processing Standards, defined by the
> National Institute of Standards and Technology (NIST).
> The current version is [FIPS 140 -
> 3|https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf], which is based
> on the ISO/IEC 19790, and it overwrites some points of the ISO standard.
> There is a series of modifications under NIST SP 800-140 from A to F as
> follows:
> A: documentation requirements
> B: security policy requirements
> C: approved security functions
> D: approved sensitive security parameter generation and establishment methods
> E: approved authentication mechanisms
> F: approved non-invasive attack mitigation test metrics
> Unfortunately the ISO/IEC 19970 is behind a paywall, but based on FIPS
> 140-3's description it is highly influenced by FIPS 140-2, so the approach we
> can easily take for the first steps is to have the first set of requirements
> based on FIPS 140-2 and understand the differences of 140-3 based on the NIST
> overrides and the standard itself.
> The main area of focus as a starting point is to work on the security
> functions and parameter generation related questions, then security policy
> authentication and documentation related questions, note that not all of
> these areas are applicable to software and some are needed for certification
> purposes, those will be skipped for now.
> It is not part of the scope to actually bring Apache Ozone through the FIPS
> certification process at the moment.
> It is not a goal to make Ozone FIPS compliant by default, the aim is to
> enable it to be compliant with the FIPS regulations, either via plugging in
> things that are not compliant and with that enable to plug-in the compliant
> version also, or make it available to easily rule out the usage of
> non-compliant things via configuration, without changing the default
> behaviour.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
