Fips question

Does anyone on the group know if Commcare has been vetted against:
Federal Information Processing Standard (FIPS) 140-2 – Security
Requirements for Cryptographic Modules

I have a project in north america for some data collection and surveys but
was asked if HQ was certified 140-2 compliant?

Hi John,

Can you be a bit more specific on which component you are asking about?

FIPS certification relies on physical hardware components for Android,
which are implemented on many Samsung and other devices, but which we can’t
guarantee at the software level.

We have not made an intentional effort to ensure that we are taking
advantage of FIPS certified libraries on those devices, but in most cases
the implementation of the cryptography library (like the OpenSSL stack used
for HTTPS communications) would be FIPS compliant on any devices which
implement the certification.

-Clayton

··· On Thu, May 11, 2017 at 5:01 PM, John Harper <john.harper@grableservices.com wrote:

Does anyone on the group know if Commcare has been vetted against:
Federal Information Processing Standard (FIPS) 140-2 – Security
Requirements for Cryptographic Modules

I have a project in north america for some data collection and surveys but
was asked if HQ was certified 140-2 compliant?


You received this message because you are subscribed to the Google Groups
"CommCare Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks Clayton,

since the application is hosted on Commcarehq.org that is secure from an
SSL perspective but I was refering to the Android application. And yes we
do use the Samsung devices for this as a rule.

If it is not included we could add the openSSL library to be compliant as
you suggest…any thoughts?

··· On Tuesday, May 23, 2017 at 3:30:34 PM UTC-7, Clayton Sims wrote: > > Hi John, > > Can you be a bit more specific on which component you are asking about? > > FIPS certification relies on physical hardware components for Android, > which are implemented on many Samsung and other devices, but which we can't > guarantee at the software level. > > We have not made an intentional effort to ensure that we are taking > advantage of FIPS certified libraries on those devices, but in most cases > the implementation of the cryptography library (like the OpenSSL stack used > for HTTPS communications) would be FIPS compliant on any devices which > implement the certification. > > -Clayton > > On Thu, May 11, 2017 at 5:01 PM, John Harper <john....@grableservices.com > wrote: > >> *Does anyone on the group know if Commcare has been vetted against:* >> Federal Information Processing Standard (FIPS) 140-2 – Security >> Requirements for Cryptographic Modules >> >> I have a project in north america for some data collection and surveys >> but was asked if HQ was certified 140-2 compliant? >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CommCare Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to commcare-developers+unsubscribe@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > >

Hi John,

Sorry, when I referred to the SSL perspective I meant the SSL stack on the
Samsung device itself.

We manage all of our cryptography through common packages available in the
android device environment, which by default is not generally FIPS
compatible in order to receive security updates without delays.

We haven’t made it a priority to fulfill the terms of FIPS140-2 compliance,
although it would be possible to recompile CommCare to utilize a separate
crypto provider when available. One important note is that we store our
non-filesystem data using the SqlCipher Library, but we use the Open Source
version of the library, and not the FIPS compliant version, so that would
need to be purchased as an additional license.

-Clayton

··· On Thu, May 25, 2017 at 3:15 AM, John Harper <john.harper@grableservices.com wrote:

Thanks Clayton,

since the application is hosted on Commcarehq.org that is secure from an
SSL perspective but I was refering to the Android application. And yes we
do use the Samsung devices for this as a rule.

If it is not included we could add the openSSL library to be compliant as
you suggest…any thoughts?

On Tuesday, May 23, 2017 at 3:30:34 PM UTC-7, Clayton Sims wrote:

Hi John,

Can you be a bit more specific on which component you are asking about?

FIPS certification relies on physical hardware components for Android,
which are implemented on many Samsung and other devices, but which we can’t
guarantee at the software level.

We have not made an intentional effort to ensure that we are taking
advantage of FIPS certified libraries on those devices, but in most cases
the implementation of the cryptography library (like the OpenSSL stack used
for HTTPS communications) would be FIPS compliant on any devices which
implement the certification.

-Clayton

On Thu, May 11, 2017 at 5:01 PM, John Harper <john....@grableservices.com wrote:

Does anyone on the group know if Commcare has been vetted against:
Federal Information Processing Standard (FIPS) 140-2 – Security
Requirements for Cryptographic Modules

I have a project in north america for some data collection and surveys
but was asked if HQ was certified 140-2 compliant?


You received this message because you are subscribed to the Google
Groups “CommCare Developers” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"CommCare Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks for the reply and info…

I will have to digest this all…one bite at a time.

So in a nutshell if I recompile the apk with the new compliant libraries
we should be good…correct? nothing would need to be changed on your
end…(meaning commcarehq.org)?

··· On Thursday, May 25, 2017 at 1:11:33 PM UTC-7, Clayton Sims wrote: > > Hi John, > > Sorry, when I referred to the SSL perspective I meant the SSL stack on the > Samsung device itself. > > We manage all of our cryptography through common packages available in the > android device environment, which by default is not generally FIPS > compatible in order to receive security updates without delays. > > We haven't made it a priority to fulfill the terms of FIPS140-2 > compliance, although it would be possible to recompile CommCare to utilize > a separate crypto provider when available. One important note is that we > store our non-filesystem data using the SqlCipher Library, but we use the > Open Source version of the library, and not the FIPS compliant version, so > that would need to be purchased as an additional license. > > -Clayton > > On Thu, May 25, 2017 at 3:15 AM, John Harper <john....@grableservices.com > wrote: > >> Thanks Clayton, >> >> since the application is hosted on Commcarehq.org that is secure from an >> SSL perspective but I was refering to the Android application. And yes we >> do use the Samsung devices for this as a rule. >> >> If it is not included we could add the openSSL library to be compliant as >> you suggest..........any thoughts? >> >> >> >> On Tuesday, May 23, 2017 at 3:30:34 PM UTC-7, Clayton Sims wrote: >>> >>> Hi John, >>> >>> Can you be a bit more specific on which component you are asking about? >>> >>> FIPS certification relies on physical hardware components for Android, >>> which are implemented on many Samsung and other devices, but which we can't >>> guarantee at the software level. >>> >>> We have not made an intentional effort to ensure that we are taking >>> advantage of FIPS certified libraries on those devices, but in most cases >>> the implementation of the cryptography library (like the OpenSSL stack used >>> for HTTPS communications) would be FIPS compliant on any devices which >>> implement the certification. >>> >>> -Clayton >>> >>> On Thu, May 11, 2017 at 5:01 PM, John Harper < john....@grableservices.com> wrote: >>> >>>> *Does anyone on the group know if Commcare has been vetted against:* >>>> Federal Information Processing Standard (FIPS) 140-2 – Security >>>> Requirements for Cryptographic Modules >>>> >>>> I have a project in north america for some data collection and surveys >>>> but was asked if HQ was certified 140-2 compliant? >>>> >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CommCare Developers" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to commcare-developers+unsubscribe@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CommCare Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to commcare-developers+unsubscribe@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > >

Hi John,

I think it would be a bit more complex than that. I don’t believe FIPS
compliance is implemented at the javax.crypto library level in android, it
is implemented as a set of libraries at the C level (happy to be corrected
on this…), so you would likely need to write Java wrappers for the C
libaries and implement the Cipher interfaces using those wrappers.

On the cloud side I would need to check, but once again FIPS compliance is
a very comprehensive set of requirements, and strictly speaking without
undergoing a FIPS audit of our entire system I would not be able to say
confidently that any of our technologies would be compliant.

Similar to the mobile side, most web encryption technologies are not run
in FIPS compliant mode by default, due to the delay in receiving updates. I
don’t believe our hosted cloud (at www.commcarehq.org) is (at the software
level) tuned for FIPS compliance as of now, so ensuring FIPS might need to
involve standing up your own cloud backend as well, and ensuring that each
service is enabled in FIPS compliant mode rather than the default mode.

-Clayton

··· On Fri, May 26, 2017 at 2:02 PM, John Harper <john.harper@grableservices.com wrote:

Thanks for the reply and info…

I will have to digest this all…one bite at a time.

So in a nutshell if I recompile the apk with the new compliant libraries
we should be good…correct? nothing would need to be changed on your
end…(meaning commcarehq.org)?

On Thursday, May 25, 2017 at 1:11:33 PM UTC-7, Clayton Sims wrote:

Hi John,

Sorry, when I referred to the SSL perspective I meant the SSL stack on
the Samsung device itself.

We manage all of our cryptography through common packages available in
the android device environment, which by default is not generally FIPS
compatible in order to receive security updates without delays.

We haven’t made it a priority to fulfill the terms of FIPS140-2
compliance, although it would be possible to recompile CommCare to utilize
a separate crypto provider when available. One important note is that we
store our non-filesystem data using the SqlCipher Library, but we use the
Open Source version of the library, and not the FIPS compliant version, so
that would need to be purchased as an additional license.

-Clayton

On Thu, May 25, 2017 at 3:15 AM, John Harper <john....@grableservices.com wrote:

Thanks Clayton,

since the application is hosted on Commcarehq.org that is secure from an
SSL perspective but I was refering to the Android application. And yes we
do use the Samsung devices for this as a rule.

If it is not included we could add the openSSL library to be compliant
as you suggest…any thoughts?

On Tuesday, May 23, 2017 at 3:30:34 PM UTC-7, Clayton Sims wrote:

Hi John,

Can you be a bit more specific on which component you are asking about?

FIPS certification relies on physical hardware components for Android,
which are implemented on many Samsung and other devices, but which we can’t
guarantee at the software level.

We have not made an intentional effort to ensure that we are taking
advantage of FIPS certified libraries on those devices, but in most cases
the implementation of the cryptography library (like the OpenSSL stack used
for HTTPS communications) would be FIPS compliant on any devices which
implement the certification.

-Clayton

On Thu, May 11, 2017 at 5:01 PM, John Harper < john....@grableservices.com> wrote:

Does anyone on the group know if Commcare has been vetted against:
Federal Information Processing Standard (FIPS) 140-2 – Security
Requirements for Cryptographic Modules

I have a project in north america for some data collection and surveys
but was asked if HQ was certified 140-2 compliant?


You received this message because you are subscribed to the Google
Groups “CommCare Developers” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google
Groups “CommCare Developers” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


You received this message because you are subscribed to the Google Groups
"CommCare Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to commcare-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

yep I was afraid of that…sharpen my pencil…

I have a working cloud environment (monolith-only) but will run what I can
on it and see if I can get through the testing of both the mobile and cloud
systems…

I will let you know the outcome if I get the nod.

··· On Friday, May 26, 2017 at 12:45:00 PM UTC-7, Clayton Sims wrote: > > Hi John, > > I think it would be a bit more complex than that. I don't believe FIPS > compliance is implemented at the javax.crypto library level in android, it > is implemented as a set of libraries at the C level (happy to be corrected > on this...), so you would likely need to write Java wrappers for the C > libaries and implement the Cipher interfaces using those wrappers. > > On the cloud side I would need to check, but once again FIPS compliance is > a very comprehensive set of requirements, and strictly speaking without > undergoing a FIPS audit of our entire system I would not be able to say > confidently that any of our technologies would be compliant. > > Similar to the mobile side, most web encryption technologies are *not* run > in FIPS compliant mode by default, due to the delay in receiving updates. I > don't believe our hosted cloud (at www.commcarehq.org) is (at the > software level) tuned for FIPS compliance as of now, so ensuring FIPS might > need to involve standing up your own cloud backend as well, and ensuring > that each service is enabled in FIPS compliant mode rather than the default > mode. > > -Clayton > > On Fri, May 26, 2017 at 2:02 PM, John Harper <john....@grableservices.com > wrote: > >> Thanks for the reply and info......... >> >> I will have to digest this all..........one bite at a time. >> >> So in a nutshell if I recompile the apk with the new compliant libraries >> we should be good.......correct? nothing would need to be changed on your >> end.........(meaning commcarehq.org)? >> >> >> >> On Thursday, May 25, 2017 at 1:11:33 PM UTC-7, Clayton Sims wrote: >>> >>> Hi John, >>> >>> Sorry, when I referred to the SSL perspective I meant the SSL stack on >>> the Samsung device itself. >>> >>> We manage all of our cryptography through common packages available in >>> the android device environment, which by default is not generally FIPS >>> compatible in order to receive security updates without delays. >>> >>> We haven't made it a priority to fulfill the terms of FIPS140-2 >>> compliance, although it would be possible to recompile CommCare to utilize >>> a separate crypto provider when available. One important note is that we >>> store our non-filesystem data using the SqlCipher Library, but we use the >>> Open Source version of the library, and not the FIPS compliant version, so >>> that would need to be purchased as an additional license. >>> >>> -Clayton >>> >>> On Thu, May 25, 2017 at 3:15 AM, John Harper < john....@grableservices.com> wrote: >>> >>>> Thanks Clayton, >>>> >>>> since the application is hosted on Commcarehq.org that is secure from >>>> an SSL perspective but I was refering to the Android application. And yes >>>> we do use the Samsung devices for this as a rule. >>>> >>>> If it is not included we could add the openSSL library to be compliant >>>> as you suggest..........any thoughts? >>>> >>>> >>>> >>>> On Tuesday, May 23, 2017 at 3:30:34 PM UTC-7, Clayton Sims wrote: >>>>> >>>>> Hi John, >>>>> >>>>> Can you be a bit more specific on which component you are asking about? >>>>> >>>>> FIPS certification relies on physical hardware components for Android, >>>>> which are implemented on many Samsung and other devices, but which we can't >>>>> guarantee at the software level. >>>>> >>>>> We have not made an intentional effort to ensure that we are taking >>>>> advantage of FIPS certified libraries on those devices, but in most cases >>>>> the implementation of the cryptography library (like the OpenSSL stack used >>>>> for HTTPS communications) would be FIPS compliant on any devices which >>>>> implement the certification. >>>>> >>>>> -Clayton >>>>> >>>>> On Thu, May 11, 2017 at 5:01 PM, John Harper < john....@grableservices.com> wrote: >>>>> >>>>>> *Does anyone on the group know if Commcare has been vetted against:* >>>>>> Federal Information Processing Standard (FIPS) 140-2 – Security >>>>>> Requirements for Cryptographic Modules >>>>>> >>>>>> I have a project in north america for some data collection and >>>>>> surveys but was asked if HQ was certified 140-2 compliant? >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CommCare Developers" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to commcare-developers+unsubscribe@googlegroups.com. >>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>> >>>>> >>>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CommCare Developers" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to commcare-developers+unsubscribe@googlegroups.com. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CommCare Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to commcare-developers+unsubscribe@googlegroups.com . >> For more options, visit https://groups.google.com/d/optout. >> > >