• Is Debian OS FIPS Certified?

    From Milica Mijatovic@21:1/5 to All on Mon Sep 19 11:30:01 2022
    Hi,

    Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules?

    What I noticed is that FIPS mode can be enabled with the tool
    fips-mode-setup <https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html>.
    This tool is developed and can be used for other Linux distributions (SUSE, Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode afterwards (not part of OS). Does that mean that Debian can be configured
    to use FIPS Validated Cryptographic Modules?

    Thanks in advance.

    Regards,
    --
    Milica Mijatović
    Team Lead, Security Engineering
    Seven Bridges Genomics

    https://www.sbgenomics.com/

    --
    This email may contain confidential information. Please take care in the storage and transmission of this information. If you are not this message’s intended recipient, please destroy it and notify the sender. This email is
    not intended to and does not create any legally binding or enforceable obligation on the part of Seven Bridges in the absence of a fully-executed contract or an express written override of this disclaimer.

    <div dir="ltr">Hi,<div><br><div>Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules?<br><br>What I noticed is that FIPS mode can be enabled with the tool <a href="https://manpages.debian.org/unstable/crypto-policies/fips-
    mode-setup.8.en.html">fips-mode-setup</a>. This tool is developed and can be used for other Linux distributions (SUSE, Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode afterwards (not part of OS). Does that mean that Debian can
    be configured to use FIPS Validated Cryptographic Modules?<br></di
  • From Javier Fernandez-Sanguino@21:1/5 to milica.mijatovic@sbgenomics.com on Mon Sep 19 12:30:01 2022
    Dear Milica,

    I believe your question should be best addressed to the debian-security
    mailing list, as you might find security experts there, rather than to
    this mailing list (debian-doc). Nevertheless, I will try to answer you to
    the best of my ability.

    On Mon, 19 Sept 2022 at 11:28, Milica Mijatovic < milica.mijatovic@sbgenomics.com> wrote:

    Hi,

    Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules?


    It would be best if you clarified to which specific FIPS certification you refer to. There are multiple FIPS standards (see https://csrc.nist.gov/publications/fips). Are you referring to FIPS 140-2
    or 140-3? (Security Requirements for Cryptographic Modules). If this is the case, the elements to be certified in these standards are specific cryptographic modules, not the operating system itself.

    For security operating system certifications, the market uses the Common Criteria standard. This standard has developed a specific "Protection
    Profile" for general purpose operating systems. It is worthwhile noting
    that Debian GNU/Linux, as an operating system, is not Common Criteria certified. This is not because the Debian OS does not fulfill the
    requirements for certification but, rather, because certification is a
    heavy process that requires the engagement of a certification lab and an
    entity paying for the whole process. Debian, as a project, has not seen the need in the past to go through these types of security certifications. Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone
    the costly certification process, that is why their operating systems are listed in the Common Criteria product pages (see https://www.commoncriteriaportal.org/products/)



    What I noticed is that FIPS mode can be enabled with the tool
    fips-mode-setup <https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html>.
    This tool is developed and can be used for other Linux distributions (SUSE, Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode afterwards (not part of OS). Does that mean that Debian can be configured
    to use FIPS Validated Cryptographic Modules?


    Debian can be indeed be configured, as other distributions, with FIPS to
    enable the cryptographic module self-checks mandated by the Federal
    Information Processing Standard (FIPS) 140-2. However, you need to be aware that the distribution itself has not been tested / certified to be in compliance with the FIPS 1402- standard. This does not mean that it does
    not comply, it just means that no attempts have been done to test/certify
    the Debian OS in specific configuration.

    Hope the above information is helpful.

    Javier

    <div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div>Dear Milica,</div><div><br></div><div>I believe your question should be best addressed to the debian-security mailing list, as you might find 
    security experts there, rather than to this mailing list (debian-doc). Nevertheless, I will try to answer you to the best of my ability.</div><div><br></div></div></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 19 Sept
    2022 at 11:28, Milica Mijatovic &lt;<a href="mailto:milica.mijatovic@sbgenomics.com">milica.mijatovic@sbgenomics.com</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-
    left:1ex"><div dir="ltr">Hi,<div><br><div>Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules?<br></div></div></div></blockquote><div><br></div><div>It would be best if you clarified to which specific FIPS certification you
    refer to. There are multiple FIPS standards (see <a href="https://csrc.nist.gov/publications/fips">https://csrc.nist.gov/publications/fips</a>). Are you referring to FIPS 140-2 or 140-3? (Security Requirements for Cryptographic Modules). If this is the
    case, the elements to be certified in these standards are specific cryptographic modules, not the operating system itself.</div><div><br></div><div>For security operating system certifications, the market uses the Common Criteria standard. This standard
    has developed a specific &quot;Protection Profile&quot; for general purpose operating systems. It is worthwhile noting that Debian GNU/Linux, as an operating system, is not Common Criteria certified. This is not because the Debian OS does not fulfill
    the requirements for certification but, rather, because certification is a heavy process that requires the engagement of a certification lab and an entity paying for the whole process. Debian, as a project, has not seen the need in the past to go through
    these types of security certifications.  Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone the costly certification process, that is why their operating systems are listed in the Common Criteria product pages (see <a href="https:
    //www.commoncriteriaportal.org/products/">https://www.commoncriteriaportal.org/products/</a>)</div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><
    div dir="ltr"><div>What I noticed is that FIPS mode can be enabled with the tool <a href="https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html" target="_blank">fips-mode-setup</a>. This tool is developed and can be used for
    other Linux distributions (SUSE, Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode afterwards (not part of OS). Does that mean that Debian can be configured to use FIPS Validated Cryptographic Modules?</div></div></blockquote><div>
    <br></div><div>Debian can be indeed be configured, as other distributions, with FIPS to enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140-2. However, you need to be aware that the distribution
    itself has not been tested / certified to be in compliance with the FIPS 1402- standard. This does not mean that it does not comply, it just means that no attempts have been done to test/certify the Debian OS in specific configuration.</div><div><br></
    <div>Hope the above information is helpful.</div><div><br></div><div>Javier </div><div> </div></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Milica Mijatovic@21:1/5 to All on Mon Sep 19 12:40:01 2022
    Dear Javier,

    Many thanks for your reply and proper answer.

    Regards,
    Milica

    On Mon, Sep 19, 2022 at 12:28 PM Javier Fernandez-Sanguino <jfs@debian.org> wrote:

    Dear Milica,

    I believe your question should be best addressed to the debian-security mailing list, as you might find security experts there, rather than to
    this mailing list (debian-doc). Nevertheless, I will try to answer you to
    the best of my ability.

    On Mon, 19 Sept 2022 at 11:28, Milica Mijatovic < milica.mijatovic@sbgenomics.com> wrote:

    Hi,

    Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic
    Modules?


    It would be best if you clarified to which specific FIPS certification you refer to. There are multiple FIPS standards (see https://csrc.nist.gov/publications/fips). Are you referring to FIPS 140-2
    or 140-3? (Security Requirements for Cryptographic Modules). If this is the case, the elements to be certified in these standards are specific cryptographic modules, not the operating system itself.

    For security operating system certifications, the market uses the Common Criteria standard. This standard has developed a specific "Protection Profile" for general purpose operating systems. It is worthwhile noting
    that Debian GNU/Linux, as an operating system, is not Common Criteria certified. This is not because the Debian OS does not fulfill the requirements for certification but, rather, because certification is a
    heavy process that requires the engagement of a certification lab and an entity paying for the whole process. Debian, as a project, has not seen the need in the past to go through these types of security certifications. Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone
    the costly certification process, that is why their operating systems are listed in the Common Criteria product pages (see https://www.commoncriteriaportal.org/products/)



    What I noticed is that FIPS mode can be enabled with the tool
    fips-mode-setup
    <https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html>.
    This tool is developed and can be used for other Linux distributions (SUSE, >> Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode
    afterwards (not part of OS). Does that mean that Debian can be configured
    to use FIPS Validated Cryptographic Modules?


    Debian can be indeed be configured, as other distributions, with FIPS to enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140-2. However, you need to be aware that the distribution itself has not been tested / certified to be in compliance with the FIPS 1402- standard. This does not mean that it does
    not comply, it just means that no attempts have been done to test/certify
    the Debian OS in specific configuration.

    Hope the above information is helpful.

    Javier



    --
    This email may contain confidential information. Please take care in the storage and transmission of this information. If you are not this message’s intended recipient, please destroy it and notify the sender. This email is
    not intended to and does not create any legally binding or enforceable obligation on the part of Seven Bridges in the absence of a fully-executed contract or an express written override of this disclaimer.

    <div dir="ltr">Dear Javier,<div><br></div><div>Many thanks for your reply and proper answer.</div><div><br></div><div>Regards,</div><div>Milica</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 19, 2022 at 12:28 PM
    Javier Fernandez-Sanguino &lt;<a href="mailto:jfs@debian.org">jfs@debian.org</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><
    <div dir="ltr"><div>Dear Milica,</div><div><br></div><div>I be