Is Debian OS FIPS Certified?

Discussion:

(too old to reply)

Milica Mijatovic

2022-09-19 09:30:01 UTC

Hi,

Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic
Modules?

What I noticed is that FIPS mode can be enabled with the tool
fips-mode-setup
<https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html>.
This tool is developed and can be used for other Linux distributions (SUSE,
Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode
afterwards (not part of OS). Does that mean that Debian can be configured
to use FIPS Validated Cryptographic Modules?

Thanks in advance.

Regards,
--
Milica MijatoviÄ
Team Lead, Security Engineering
Seven Bridges Genomics

https://www.sbgenomics.com/

--
This email may contain confidential information. Please take care in the
storage and transmission of this information. If you are not this messageâs
intended recipient, please destroy it and notify the sender. This email is
not intended to and does not create any legally binding or enforceable
obligation on the part of Seven Bridges in the absence of a fully-executed
contract or an express written override of this disclaimer.

Javier Fernandez-Sanguino

2022-09-19 10:30:01 UTC

Permalink

Dear Milica,

I believe your question should be best addressed to the debian-security
mailing list, as you might find security experts there, rather than to
this mailing list (debian-doc). Nevertheless, I will try to answer you to
the best of my ability.

On Mon, 19 Sept 2022 at 11:28, Milica Mijatovic <

Post by Milica Mijatovic
Hi,
Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic
Modules?

It would be best if you clarified to which specific FIPS certification you
refer to. There are multiple FIPS standards (see
https://csrc.nist.gov/publications/fips). Are you referring to FIPS 140-2
or 140-3? (Security Requirements for Cryptographic Modules). If this is the
case, the elements to be certified in these standards are specific
cryptographic modules, not the operating system itself.

For security operating system certifications, the market uses the Common
Criteria standard. This standard has developed a specific "Protection
Profile" for general purpose operating systems. It is worthwhile noting
that Debian GNU/Linux, as an operating system, is not Common Criteria
certified. This is not because the Debian OS does not fulfill the
requirements for certification but, rather, because certification is a
heavy process that requires the engagement of a certification lab and an
entity paying for the whole process. Debian, as a project, has not seen the
need in the past to go through these types of security certifications.
Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone
the costly certification process, that is why their operating systems are
listed in the Common Criteria product pages (see
https://www.commoncriteriaportal.org/products/)

Post by Milica Mijatovic
What I noticed is that FIPS mode can be enabled with the tool
fips-mode-setup
<https://manpages.debian.org/unstable/crypto-policies/fips-mode-setup.8.en.html>.
This tool is developed and can be used for other Linux distributions (SUSE,
Oracle Linux, RedHat, Ubuntu), in case the user wants to enable FIPS mode
afterwards (not part of OS). Does that mean that Debian can be configured
to use FIPS Validated Cryptographic Modules?

Debian can be indeed be configured, as other distributions, with FIPS to
enable the cryptographic module self-checks mandated by the Federal
Information Processing Standard (FIPS) 140-2. However, you need to be aware
that the distribution itself has not been tested / certified to be in
compliance with the FIPS 1402- standard. This does not mean that it does
not comply, it just means that no attempts have been done to test/certify
the Debian OS in specific configuration.

Hope the above information is helpful.

Javier

Milica Mijatovic

2022-09-19 10:40:01 UTC

Permalink

Dear Javier,

Many thanks for your reply and proper answer.

Regards,
Milica

Post by Javier Fernandez-Sanguino
Dear Milica,
I believe your question should be best addressed to the debian-security
mailing list, as you might find security experts there, rather than to
this mailing list (debian-doc). Nevertheless, I will try to answer you to
the best of my ability.
On Mon, 19 Sept 2022 at 11:28, Milica Mijatovic <

Post by Milica Mijatovic
Hi,
Is Debian OS FIPS certified? Does it support FIPS Validated Cryptographic
Modules?

It would be best if you clarified to which specific FIPS certification you
refer to. There are multiple FIPS standards (see
https://csrc.nist.gov/publications/fips). Are you referring to FIPS 140-2
or 140-3? (Security Requirements for Cryptographic Modules). If this is the
case, the elements to be certified in these standards are specific
cryptographic modules, not the operating system itself.
For security operating system certifications, the market uses the Common
Criteria standard. This standard has developed a specific "Protection
Profile" for general purpose operating systems. It is worthwhile noting
that Debian GNU/Linux, as an operating system, is not Common Criteria
certified. This is not because the Debian OS does not fulfill the
requirements for certification but, rather, because certification is a
heavy process that requires the engagement of a certification lab and an
entity paying for the whole process. Debian, as a project, has not seen the
need in the past to go through these types of security certifications.
Commercial companies (such as Red Hat, Ubuntu or IBM/SUSE) have undergone
the costly certification process, that is why their operating systems are
listed in the Common Criteria product pages (see
https://www.commoncriteriaportal.org/products/)