Developing for FIPS

Applications can be developed either by using the FIPS validated packages, such as OpenSSL, directly, or by using a higher level language and software ecosystem. The following table shows the recommended packages to use to develop FIPS applications in high level software languages/environments.

How do I use the FIPS validated components correctly?

In addition to its development documentation, each validated package comes with a security policy attached to its certificate which provides detailed guidance about using the module in the “User Guidance” section. You can find the security policy document after clicking on the certificate number on the table above, under the section ‘Related Files’. You can find all certificates and policies issued by Canonical by querying the NIST website.

For the libraries like OpenSSL and libgcrypt, these instructions contain guidance about particular algorithms, for example, where to apply the AES-XTS algorithm and details about initialization and other aspects relevant to the package.

How can I detect whether the system has FIPS enabled?

Τηε generic way to check whether the Ubuntu system runs in FIPS mode is to check the file /proc/sys/crypto/fips_enabled.

When the Ubuntu FIPS kernel is present and runs with FIPS enabled, the /proc/sys/crypto/fips_enabled file exists and contains the 0x31 byte (character ‘1’ in ASCII). This in Ubuntu indicates that FIPS is enabled.

Which random generator should I use?

When using a validated cryptographic library like OpenSSL we recommend using that’s library’s random generator. In other cases we recommend using one of the following generators.

Developing with OpenSSL

For an example of developing for FIPS with OpenSSL, see this article.