Enterprise Linux 7.1 meets NIST crypto standards
- By Amanda Ziadeh
- Dec 13, 2016
Red Hat’s Enterprise Linux 7.1 has been awarded a critical security certification for nine modules, including its OpenSSL component. According to company officials, the certifications establish the platform as a secure operating system for mission-critical systems and national security data.
The National Institute of Standards and Technology sets standards for federal cryptographic-based security systems, including those in open-source software libraries. The Federal Information Processing Standard 140-2 was established in 2001 for native systems that process sensitive information, secure communications and encrypt data.
Meeting the FIPS 140-2 standards -- and then documenting that compliance -- can be a costly and time-consuming process. When the 2014 Heartbleed bug revealed vulnerabilities in OpenSSL, for example, key components of that software library were rewritten entirely. The result was a much-improved Open SSL, but one that needed a new FIPS 140-2 validation before it could be used legally in federal systems. Eventually, a private firm stepped in to sponsor the effort.
Most open-source communities don’t have the time or interest to go through government certifications, and that’s where commercially supported open source companies, like Red Hat, come in. “We actually see that market opportunity, and we invest in going through the certification process to make sure it complies,” Red Hat Chief Technologist for Public Sector David Egts said. And when software changes are made to comply with federal standards, he added, the updated code is available as part of the base operating system to government and all Red Hat customers.
In order to achieve FIPS 140-2 certification, Red Hat Enterprise Linux 7.1 was tested at an independent facility -- the Atsec Information Security Corporation’s Cryptographic and Security Testing Laboratory -- where the source code, as well as the inner binaries, the engineering processes and software supply chain were evaluated.
Along with its OpenSSL, Red Hat’s Linux platform is certified for its Open Secure Shell Server and Client for securing network communications, its cryptographic application programming interfaces and others. These modules will retain their certifications while running on a number of Hewlett Packard Enterprise and IBM hardware configurations.
Additionally, if Red Hat’s partners are developing software to run on top of its enterprise Linux using Red Hat’s certified cryptography libraries, those are also secured. “They don’t need to go through a certification process themselves, because they have no crypto in their software,” Egts said.
Amanda Ziadeh is a former reporter/producer for GCN.