spencerkimball
commented
7 years ago +cc @adamgee @garvitjuniwal
Closed spencerkimball closed 3 years ago
spencerkimball
commented
7 years ago +cc @adamgee @garvitjuniwal
spencerkimball
commented
7 years ago The branch of Go that is built with the boring crypto library has been upgraded to go1.9. I was able to use it to build CockroachDB and run the tests without any issues.
superit23
commented
5 years ago Do we know what has to get done to be FIPS compliant? My understanding of FIPS140-2 is that security-related cryptography must use FIPS-validated modules. From what I can tell, the only security-related usage of a non-FIPS algorithm is bcrypt as the KDF for password authentication.
One of the most common replacements for bcrypt is PBKDF2. According to NIST SP 800-132 (https://dl.acm.org/ft_gateway.cfm?id=2206217&ftid=1222141&dwn=1), PBKDF2 is an approved algorithm if the underlying hash function is approved. I've written and tested a patch that swaps bcrypt with PBKDF2, uses SHA256 as the underlying hash function, and builds with the "dev.boringcrypto" branch. Is this something you're interested in?
CockroachDB uses Go's SSL implementation which is not and will apparently never be FIPS compliant due to the overhead of maintaining an active certification.
There is however a branch of Go which is built using the boring crypto library, which is FIPS compliant.
We could build a CockroachDB binary using this branch of Go. The current branch is based on version 1.8, even though the README.md specifies it is meant to be maintained against the most recent version.