FIPS 140-2 Level 1 Compliance for C/C++ Components

Describes how the HPE Ezmeral Data Fabric C/C++ components comply with Federal Information Processing Standard (FIPS) 140-2 Level 1.

The C/C++ components of the HPE Ezmeral Data Fabric need to use FIPS-approved cryptographic libraries for FIPS 140-2 Level 1 compliance. The data-fabric cryptographic library of choice is OpenSSL 1.1.1. Only FIPS-approved cryptographic algorithms are used in the core platform. Weaker, non-FIPS approved cryptographic algorithms such as MD5 are no longer supported.

OpenSSL 1.1.1 Distributions

On FIPS-enabled nodes, the HPE Ezmeral Data Fabric uses the FIPS-certified OpenSSL 1.1.1 distribution from the following operating system vendors:
OS Module Description
Ubuntu 18.04 OpenSSL Cryptographic Module 2.1
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3980, valid until 7/11/2026
Ubuntu 20.04 OpenSSL Cryptographic Module
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3966, valid until 7/6/2021, valid until 7/5/2026
RHEL 8 OpenSSL Cryptographic Module rhel8.20200305
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3781, valid until 12/20/2025
SLES 15 SP2 OpenSSL Cryptographic Module 4.1
  • FIPS 140-2 Level 1
  • OpenSSL 1.1.1
  • CMVP #3991, valid until 7/21/2026

How OpenSSL Cryptographic Modules Are used

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. The HPE Ezmeral Data Fabric uses OpenSSL 1.1.1 cryptographic modules exclusively for all cryptographic operations, including but not restricted to the following:
  • Data at-rest encryption/decryption (DARE) using AES-256 XTS
  • Encryption of data transmitted over-the-wire using AES-256 GCM
  • Signatures using HMAC SHA-256 for Amazon S3 access in the MAST gateway
  • Random number generation as part of the challenge-response authentication
  • Certificate validation and display

Cryptographic Libraries Used Before Release 7.0.0

Prior to release 7.0.0, the HPE Ezmeral Data Fabric used the CryptoPP cryptographic library for most C++ cryptographic operations. CryptoPP was certified at FIPS 140-2 Level 1 in 2007. The status for CMVP certificate #819 for CryptoPP is Historical, which means that it has expired. There are no plans to revalidate to get FIPS approved again. Release 7.0.0 replaces all CryptoPP cryptographic functionality used in earlier releases with equivalent FIPS 140-2 Level 1-validated OpenSSL cryptographic functionality that is fully compatible with older releases.

The Intel ISA-L cryptographic library used in earlier releases for cryptographic operations such as AES-XTS encryption are also replaced with the equivalent FIPS 140-2 Level 1 validated OpenSSL cryptographic functions.

Cryptographic Algorithms Used

The following table provides a list of cryptographic algorithms used in the HPE Ezmeral Data Fabric core platform. When applicable, such as in AES algorithms, the platform uses Initialization Vectors (IVs) that are 16 bytes long:
Algorithm How It's Used
AES-256 GCM Used to Encrypt/Decrypt messages and RPC over the wire with authentication of the message. These functions have a message authentication tag (MAC) of length of 16 bytes.
AES-256 CTR To generate the storage pool and block encryption keys for DARE.
AES-256 XTS Used for DARE Encryption/Decryption of data at rest on the disk. The Length of both keys needed is 32 bytes, with a 16-byte tweak.
DRBG Random Number Generator Used to generate bytes/numbers randomly for Initialization Vectors, Key, challenge-response authentication, and other cases.
SHA-256 Hashing Function (FIPS-approved as per FIPS 180-4) Hash is used to derive and generate the keys (serverkey, clusterkey, and other keys) from the master CLDB key.