Versions Compared

Old Version 3

changes.mady.by.user jim mason

Saved on

compared with

New Version 4

changes.mady.by.user jim mason

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Potential Value Opportunities



Potential Challenges



Go lang crypto package not FIPS 140-2 certified for Government work


Details on GO crypto FIPS compliance issues here

View file
namefabric-go-lang-crypto-NIST-fips-certification-problem.docx
height250



Hi Dave



2> Use of Go lang crypto libraries not validated by NIST

I see that Fabric is or will be relying on the Go crypto package. Turns out the Go crypto package is not FIPS 140.2 certified. As a result, Fabric can't ( in theory ) be used for any Federal or Canadian government solutions.

This study identified the issue on Fabric crypto libraries

Blockchain Compliance with Federal Cryptographic Information Processing Standards by James P. Howard, II, Maria E. Vachino :: SSRN



Image AddedBlockchain Compliance with Federal Cryptographic Information Processing ...
Under current Federal Information Security Management Act of 2002 (FISMA) requirements, all new Federal informat...




The package Go crypto is "derived" from was validated:
2017 version of BoringCrypto
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2964

I followed up with the Go security team and they provided this detail below - so far no commitment to have their crypto libraries validated.

Here's their only info on the crypto package
From Filippo Valsorda at Google, if anyone else is interested:
" Go 1.14 and earlier ship a module built according to the instructions in certificate 2964, which maps to BoringSSL tag fips-20170615. https://github.com/golang/go/blob/dev.boringcrypto.go1.14/src/crypto/internal/boring/build/build.sh Go 1.15 and later will hopefully ship a module built according to the instructions in certificate 3318, which maps to BoringSSL tag fips-20180730. https://github.com/golang/go/commit/6c64b188a53afec79563cf4ad3c5bc373036d3ae"

FIPS 140.2 requirements for crypto modules
https://csrc.nist.gov/projects/cryptographic-module-validation-program
Use of Unvalidated Cryptographic Modules by Federal Agencies and Departments

FIPS 140-2 precludes the use of unvalidated cryptography for the cryptographic protection of sensitive or valuable data within Federal systems. Unvalidated cryptography is viewed by NIST as providing no protection to the information or data—in effect the data would be considered unprotected plaintext. If the agency specifies that the information or data be cryptographically protected, then FIPS 140-2 is applicable. In essence, if cryptography is required, then it must be validated.

Many companies who would use Fabric on public projects are impacted by this regulation and the Go crypto module certification status.

Your thoughts on both are appreciated,

Thanks !

Jim Mason




Candidate Solutions



Step-by-step guide for Example

...