[RFC] Proposal for supporting FIPS 140-2 enforced mode

[terryquigleysas]

Is your feature request related to a problem? Please describe. Feature Request #1497

Describe the solution you'd like

Problem Statement

We would like to contribute to OpenSearch to support running in FIPS-140-2 compliant mode. We propose delivering this in several phases, as discussed in the feature request above, starting with core changes and aiming towards a desired state of providing configurable options.

This RFC is to ensure our approach would be seen as a feasible and acceptable contribution.

Phases

Phase 1: Remove hardcoded Bouncy Castle references

Security plugin

Update code, retaining current functionality

• Proposed libraries: Bouncy Castle FIPS, Password4j, rfksystems Blake2b
  • Alternatively contribute to Password4j to expose Blake2b functionality and reduce the number of libraries brought in
• Security policy changes
  • Complicated by the plugin structure
• NB OpenSearch must still work for rolling upgrades

Performance Analyzer (potentially)

• This codebase is separate from OpenSearch Security and may also lead us to have to make changes to OpenSearch core
• Who do we liaise with?

Unknown unknowns (e.g. behavior of other plugins, scripts etc.)

• Emphasis on not inadvertently breaking anything

Phase 2: Introduce FIPS-compliant alternatives as default for:

Bcrypt password hashing

• PBKDF2

Blake2b for masking

• e.g. SHA3

Certificate handling (potentially)

Cipher lists (potentially)

Any additional security policy changes

Add FIPS mode configuration flag

• This may lead us to have to make changes to OpenSearch core

  Phase 3: Testing and rework

  By now we will be carrying out extensive testing and verification and expect that additional requirements may arise.

Additional work for any issues found in our testing

Extend unit tests

Extend integration tests

Phase 4: Configurability

Additional configuration options

• Configure additional security providers
• Configure hashing algorithms
• Validation

Contingency for unknown unknowns

Phase 5: Documentation

All required configuration options and settings

JDK 11 requirement

Limitations

Not in scope

Changing an existing cluster from non-FIPS to FIPS compliant

Dashboards, Data Prepper etc. - our focus is on server only

Any, as yet unknown, OpenSearch plugins that require extensive work for FIPS-compliance

These could be actioned by the wider community

Help Required

We have accessed and used:

• YouTube videos on developing and contributing
• Documentation and GitHub pages
• Blog items
• Slack

We expect we will need some additional help with:

• Processes
  • Proposal example
  • Creation of project stories / issues / epics / labels?
  • Backporting and releasing
  • Documentation
  • Tests
    • How do we ensure we don't break something unexpectedly?
    • Benchmarking
• Wider impact analysis
• Anything else we haven't thought of

[terryquigleysas]

Moving to security plugin. Closing here.

[terryquigleysas]

Raised as https://github.com/opensearch-project/security/issues/3420