FIPS 140-2 in the World of Postgres
We've been hearing a lot of questions on FIPS 140-2 lately - so, what is it?
Well, the full definitions are at https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Standards, but the layman's version, which can be attributed to Wikipedia(1), is as follows...
What is it? - Simply - It is a program designed to validate cryptographic modules used by Federal agencies.
The FIPS (Federal Information Processing Standards) 140-2 validation is a result of the FIPS 140 Publication Series issued by The National Institute of Standards and Technology (NIST). The intent was to coordinate and standardize the requirements covering cryptography modules. This includes both hardware and software components.
In order to ensure confidentiality and integrity of information within a security system, a protected cryptographic module is needed. FIPS specifies the security requirements that need to be addressed and satisfied within the cryptographic module. The requirements cover both the cryptographic modules and the associated documentation and (at the highest security level) certain aspects of the comments included in the source code.
There are four qualitative levels of standard, each increasing in terms of security intensity and all designed to cover a wide range of applications and environments. The security requirements focus on secure design and implementation of cryptographic modules. This includes cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. Using validated cryptographic modules is a requirement of the US Government for all unclassified uses of cryptography and recommended by the Government of Canada in their unclassified applications.
How are modules validated?
The Cryptographic Module Validation Program (CMVP) is operated jointly by the United States Government's National Institute of Standards and Technology (NIST) Computer Security Division and the Communications Security Establishment (CSE) of the Government of Canada. The CMVP provides validation that a cryptographic module conforms to the standards listed in FIPS 140-1 or FIPS 140-2. A validation certificate identifies and confirms the specific module name, hardware, software, firmware, and/or applet version numbers.
Vendors using both private or open source cryptographic modules or commercial cryptographic modules (aka hardware security module - HSM) that collect, store, share or transfer, or disseminate sensitive but unclassified (SBU) information, should ensure their modules meet the stringent criteria defined in FIPS 140 series and are fully accredited.
Modules validated as conforming to FIPS 140-2 are accepted by the Federal Agencies of both US and Canada for the protection of sensitive information.
EnterpriseDB has fully complied with the FIPS 140-2 requirements and has completed the validation process for Windows. EDB now can offer a FIPS 140-2 compliant/certified option for Advanced Server on Windows. FIPS 140-2 can be enforced on RHEL using the RHEL OpenSSL FIPS compliant modules.
The CMVP certificate for EnterpriseDB can be found here:
Effective March 31st, we will no longer engage on PostgresRocks.
How to engage with us further?
- Thought Leadership: EDB Blogs
- Tips and Tricks: Postgres Tutorials
- Customer Support: Create a Case Please note: Only customers with an active EDB support subscription and support portal authorization can create support ticket
- Engage on Stackoverflow While engaging on Stackoverflow tag the question with EDB or EnterpriseDB.