Enterprise Linux 7.1 meets NIST crypto standards

Enterprise Linux 7.1 meets NIST crypto standards

Red Hat’s Enterprise Linux 7.1 has been awarded a critical security certification for nine modules, including its OpenSSL component. According to company officials, the certifications establish the platform as a secure operating system for mission-critical systems and national security data.

The National Institute of Standards and Technology sets standards for federal cryptographic-based security systems, including those in open-source software libraries.  The Federal Information Processing Standard 140-2 was established in 2001 for native systems that process sensitive information, secure communications and encrypt data.

Meeting the FIPS 140-2 standards -- and then documenting that compliance -- can be a costly and time-consuming process.  When the 2014 Heartbleed bug revealed vulnerabilities in OpenSSL, for example, key components of that software library were rewritten entirely.  The result was a much-improved Open SSL, but one that needed a new FIPS 140-2 validation before it could be used legally in federal systems.  Eventually, a private firm stepped in to sponsor the effort.

Most open-source communities don’t have the time or interest to go through government certifications, and that’s where commercially supported open source companies, like Red Hat, come in. “We actually see that market opportunity, and we invest in going through the certification process to make sure it complies,” Red Hat Chief Technologist for Public Sector David Egts said. And when software changes are made to comply with federal standards, he added, the updated code is available as part of the base operating system to government and all Red Hat customers.

In order to achieve FIPS 140-2 certification, Red Hat Enterprise Linux 7.1 was tested at an independent facility -- the Atsec Information Security Corporation’s Cryptographic and Security Testing Laboratory -- where the source code, as well as the inner binaries, the engineering processes and software supply chain were evaluated.

Along with its OpenSSL, Red Hat’s Linux platform is certified for its Open Secure Shell Server and Client for securing network communications, its cryptographic application programming interfaces and others. These modules will retain their certifications while running on a number of Hewlett Packard Enterprise and IBM hardware configurations.

Additionally, if Red Hat’s partners are developing software to run on top of its enterprise Linux using Red Hat’s certified cryptography libraries, those are also secured. “They don’t need to go through a certification process themselves, because they have no crypto in their software,” Egts said.

About the Author

Amanda Ziadeh is a Reporter/Producer for GCN.

Prior to joining 1105 Media, Ziadeh was a contributing journalist for USA Today Travel's Experience Food and Wine site. She's also held a communications assistant position with the University of Maryland Office of the Comptroller, and has reported for the American Journalism Review, Capitol File Magazine and DC Magazine.

Ziadeh is a graduate of the University of Maryland where her emphasis was multimedia journalism and French studies.

Click here for previous articles by Ms. Ziadeh or connect with her on Twitter: @aziadeh610.


inside gcn

  • agile development (Kalakruthi/Shutterstock.com)

    CMS goes all-in on agile

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group