FIPS 140-2 compliance mode / binary / container

[mffap]

Background

Some customers, especially with business in the US, require FIPS 140-2 Security Policy Compliance. Golang's crypto implementation is, by default, not suitable and cannot achieve compliance set out by FIPS.

Proposal

• We can create dedicated FIPS Builds of ZITADEL, similar to what other Golang-using companies like MinIO are doing
• In this build the standard golang crypto imports will be replaced with BoringCrypto (released by Google) which is certified for FIPS 140-2 compliance
• Since this build will use the libraries from the OS within the container, we need to provide customers with a separate container images

Acceptance Criteria

• [ ] With each release, a separate container image is built where golang crypto importes are replaced by BoringCrypto
• [ ] Documentation and disclaimer
• [x] #4157
  • [ ] with work factor of >310'00
  • [ ] internal hash function of HMAC-SHA-256

[muhlemmer]

Just browsing I came accross some additional info that might be helpfull:

• Since Go 1.19, the build has become much simpler, no need to use the BoringCrypto branch anymore: https://github.com/golang/go/issues/51940.
• Microsoft has a FIPS fork of Go here: https://github.com/microsoft/go with pre-build Docker containers here: https://github.com/microsoft/go-images
• Note that enabling FIPS might create a performance overhead: https://kupczynski.info/posts/fips-golang/#performance-impact

[badrobit]

may want to update this from FIPS 140-2 to the current standard FIPS 140-3 https://csrc.nist.gov/pubs/fips/140-3/final

[BillyBolton]

Any update on this?

[muhlemmer]

It's in the backlog without priority at the moment. This may change if we get demand from enterprise users.