[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Is Debian OS FIPS Certified?

Dear Javier,

Many thanks for your reply and proper answer.

Regards,
Milica

On Mon, Sep 19, 2022 at 12:28 PM Javier Fernandez-Sanguino <jfs@debian.org> wrote:
Dear Milica,

I believe your question should be best addressed to the debian-security mailing list, as you might find  security experts there, rather than to this mailing list (debian-doc). Nevertheless, I will try to answer you to the best of my ability.

On Mon, 19 Sept 2022 at 11:28, Milica Mijatovic <milica.mijatovic@sbgenomics.com> wrote:
Hi,

Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic Modules?

It would be best if you clarified to which specific FIPS certification you refer to. There are multiple FIPS standards (see https://csrc.nist.gov/publications/fips). Are you referring to FIPS 140-2 or 140-3? (Security Requirements for Cryptographic Modules). If this is the case, the elements to be certified in these standards are specific cryptographic modules, not the operating system itself.

For security operating system certifications, the market uses the Common Criteria standard. This standard has developed a specific "Protection Profile" for general purpose operating systems. It is worthwhile noting that Debian GNU/Linux, as an operating system, is not Common Criteria certified. This is not because the Debian OS does not fulfill the requirements for certification but, rather, because certification is a heavy process that requires the engagement of a certification lab and an entity paying for the whole process. Debian, as a project, has not seen the need in the past to go through these types of security certifications.  Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone the costly certification process, that is why their operating systems are listed in the Common Criteria product pages (see https://www.commoncriteriaportal.org/products/)

 
What I noticed is that FIPS mode can be enabled with the tool fips-mode-setup. This tool is developed and can be used for other Linux distributions (SUSE, Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode afterwards (not part of OS). Does that mean that Debian can be configured to use FIPS Validated Cryptographic Modules?

Debian can be indeed be configured, as other distributions, with FIPS to enable the cryptographic module self-checks mandated by the Federal Information Processing Standard (FIPS) 140-2. However, you need to be aware that the distribution itself has not been tested / certified to be in compliance with the FIPS 1402- standard. This does not mean that it does not comply, it just means that no attempts have been done to test/certify the Debian OS in specific configuration.

Hope the above information is helpful.

Javier 
 

This email may contain confidential information. Please take care in the storage and transmission of this information. If you are not this message’s intended recipient, please destroy it and notify the sender. This email is not intended to and does not create any legally binding or enforceable obligation on the part of Seven Bridges in the absence of a fully-executed contract or an express written override of this disclaimer.
Reply to: