FIPS 140-2 Level 1 Compliance for C/C++ Components
Describes how the HPE Ezmeral Data Fabric C/C++ components comply with Federal Information Processing Standard (FIPS) 140-2 Level 1.
The C/C++ components of the HPE Ezmeral Data Fabric need to use FIPS-approved cryptographic libraries for FIPS 140-2 Level 1 compliance. The data-fabric cryptographic library of choice is OpenSSL 1.1.1. Only FIPS-approved cryptographic algorithms are used in the core platform. Weaker, non-FIPS approved cryptographic algorithms such as MD5 are no longer supported.
OpenSSL 1.1.1 Distributions
OS | Module | Description |
---|---|---|
Ubuntu 18.04 | OpenSSL Cryptographic Module 2.1 |
|
Ubuntu 20.04 | OpenSSL Cryptographic Module |
|
RHEL 8 | OpenSSL Cryptographic Module rhel8.20200305 |
|
SLES 15 SP2 | OpenSSL Cryptographic Module 4.1 |
|
How OpenSSL Cryptographic Modules Are used
- Data at-rest encryption/decryption (DARE) using AES-256 XTS
- Encryption of data transmitted over-the-wire using AES-256 GCM
- Signatures using HMAC SHA-256 for Amazon S3 access in the MAST gateway
- Random number generation as part of the challenge-response authentication
- Certificate validation and display
Cryptographic Libraries Used Before Release 7.0.0
Prior to release 7.0.0, the HPE Ezmeral Data Fabric used the CryptoPP cryptographic library for most C++ cryptographic operations. CryptoPP was certified at FIPS 140-2 Level 1 in 2007. The status for CMVP certificate #819 for CryptoPP is Historical, which means that it has expired. There are no plans to revalidate to get FIPS approved again. Release 7.0.0 replaces all CryptoPP cryptographic functionality used in earlier releases with equivalent FIPS 140-2 Level 1-validated OpenSSL cryptographic functionality that is fully compatible with older releases.
The Intel ISA-L cryptographic library used in earlier releases for cryptographic operations such as AES-XTS encryption are also replaced with the equivalent FIPS 140-2 Level 1 validated OpenSSL cryptographic functions.
Cryptographic Algorithms Used
Algorithm | How It's Used |
---|---|
AES-256 GCM | Used to Encrypt/Decrypt messages and RPC over the wire with authentication of the message. These functions have a message authentication tag (MAC) of length of 16 bytes. |
AES-256 CTR | To generate the storage pool and block encryption keys for DARE. |
AES-256 XTS | Used for DARE Encryption/Decryption of data at rest on the disk. The Length of both keys needed is 32 bytes, with a 16-byte tweak. |
DRBG Random Number Generator | Used to generate bytes/numbers randomly for Initialization Vectors, Key, challenge-response authentication, and other cases. |
SHA-256 Hashing Function (FIPS-approved as per FIPS 180-4) | Hash is used to derive and generate the keys (serverkey, clusterkey, and other keys) from the master CLDB key. |