lolloj - Fotolia
We were informed that our WebOMNI system (load balanced web servers running Windows 2008 IIS 7.0) needs to be FIPS...
140-2 compliant as it contains some CJIS data. We have enabled FIPS mode on the server. The server uses a Comodo RSA certificate to encrypt traffic. How do we confirm which FIPS certificate, if any, covers our configuration? We are rather sure it is either certificate 1008 (bcrypt.dll) or 1010 (RSAENH), but we are not sure how to tell. Any help you can give would be appreciated.
The Criminal Justice Information Services (CJIS) is the largest division of the Federal Bureau of Investigation. Its databases provide a centralized source of criminal justice information to agencies around the U.S. This information includes biometric, identity history, property and case/incident history data, so clearly it has to be extremely well protected. The CJIS Security Policy establishes minimum security requirements and controls to safeguard criminal justice information, covering areas such as wireless networking, remote access, data encryption and authentication. The requirements and controls in the CJIS Security Policy correspond closely to NIST 800-53: "Security and Privacy Controls for Federal Information Systems and Organizations," which is also the basis for the Federal Risk and Authorization Management Program.
Government agencies must ensure that their systems and any third-party systems, such as cloud services used for the transmission, storage or processing of criminal justice information complies with the CJIS Security Policy. Section 22.214.171.124 of the Security Policy sets out strict and specific Federal Information Processing Standard (FIPS) 140-2 encryption standards for data that is at rest or in transit, stating: "When encryption is employed, the cryptographic module used shall be certified to meet FIPS 140-2 standards."
There are various cryptographic modules that come with Windows operating systems and encapsulate different cryptographic algorithms accessible via API calls. I assume your servers are running a version of Windows Server 2008 R2, as support for Windows Server 2008 has expired. Microsoft's Cryptographic Primitives Library, a software-based cryptographic service provider (BCRYPT.dll), is FIPS 140-2 certified, as is its Enhanced Cryptographic Provider (RSAENH.dll), with the algorithms being accessible via the Microsoft CryptoAPI. User mode applications directly interface with BCRYPT, so this is the module to use.
Enabling FIPS mode in Windows makes it and its subsystems use only FIPS compliant cryptographic algorithms for encryption, hashing and signing. For example, it disallows the use of SSL 2.0 and 3.0 as they do not meet the FIPS standards. However, just enabling FIPS mode doesn't ensure a system complies with the CJIS Security Policy. There is no enforcement of the FIPS mode by the operating system or validated cryptographic modules. This means an application that doesn't check the registry setting associated with FIPS mode and isn't dependent on any Windows subsystems will continue to work exactly as it had with FIPS mode disabled, potentially using noncompliant encryption algorithms. This is why it's vital to run applications that use certified encryption modules at all times, and that software developers ensure their applications check the FIPS mode flag registry setting and enforce the use of the appropriate algorithms.
Read about Amazon Web Services' cloud deal with Colorado law enforcement agencies
Find out how to avoid common pitfalls when using threat intelligence and analytics
Learn about NIST's new password recommendations for U.S. government use
Dig Deeper on Disk and file encryption tools
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading