FIPS compliance¶

The National Institue of Standards and Technology (NIST) defines the Federal Information Processing Standards (FIPS).

FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce.

App Builder is a .NET application. The following page states Microsoft's position on FIPS-compliance with regards to .NET:

https://docs.microsoft.com/en-us/dotnet/standard/security/fips-compliance

In the context of App Builder, FIPS-compliance restricts the use of cryptograpy to:

• FIPS-validated cryptographic libraries.
• FIPS-approved cryptographic algorithms and key sizes.

Cryptography includes:

• Random number generation
• Hashing
• Encryption
• Digital Signatures
• Certificate storage and encoding

Configuration¶

App Builder does not require any special configuration to enable FIPS-compliance.

App Builder itself does not implement any cryptographic algorithms. App Builder delegates all cryptographic operations to the host operating system. If the host operating system is properly configured, App Builder will use FIPS-validated implementations.

App Builder generates security tokens using only FIPS-approved algorithms. Where possible, App Builder asserts that third-party security tokens, such as digital signatures, use only FIPS-approved algorithms.

Enabling FIPS on Windows¶

On Windows, the Use FIPS-compliant algorithms for encryption, hashing, and signing system policy enables FIPS-mode.

Enabling FIPS on Linux¶

Linux has no equivalent to the Windows FIPS system policy. Enabling FIPS on Linux varies by distribution and is outside the scope of this document. The following links provide a starting point for several distributions:

• RedHat Enterprise Linux
• Ubuntu
• Amazon Linux 2

Ultimately, .NET delegates to OpenSSL. Therefore, a FIPS-validated implementation of OpenSSL must be installed. Furthermore, OpenSSL must be configured to run in FIPS-mode by, e.g., setting the OPENSSL_FIPS environment variable.

Uses of cryptography¶

App Builder uses cryptography in various subsystems, including:

• Session identifier generation
• Cross-Site Request Forgery (CRSF) token generation.
• Password hashing
• API key generation
• HTTP basic auth password generation
• OAuth JWT and SAML digital signature signing
• SAML SSO digital signature verification
• SAML identity provider digital signature signing
• WS-Federation digital signature verification
• JWT SSO digital signature verification
• Column encryption
• mvSQL RANDOMBYTES() runtime function