Dan's Take

Red Hat Enterprise Linux 7.1 Receives Security Certification

It now meets international cryptography standards.

• By Dan Kusnetzky
• 12/13/2016

It is clear that the Internet can be an unfriendly place; that's why Red Hat is working to provide a safe, tested computing environment for its customers. The company just announced that "Red Hat Enterprise Linux 7.1 has received nine Federal Information Processing Standard (FIPS) 140-2 security certifications from the U.S. federal government's National Institute of Standards and Practices (NIST)."

Achieving FIPS 140-2 certification is a requirement for national agencies in both the U.S. and Canada, and the certification is also recognized in Europe and Australia. Red Hat says that its customers "now have greater assurance that native cryptographic security systems, such as those used to encrypt data and provide more secure communications, have been formally evaluated to meet international cryptography standards."

Certified Modules
Red Hat says that the following RHEL 7.1 modules have been shown to comply with the standard:

• OpenSSL. A library of routines used by applications to support secure communications using both transport layer security (TLS) and secure socket layer (SSL)
• OpenSSH Server. A system service designed to support secure communications to remote clients using the secure shell (SSH)
• OpenSSH Client. A connectivity tool allowing remote login to remote systems using the secure shell (SSH)
• Libgcrypt. A general purpose cyrptographic library based upon the code from the GnuPG open source project
• NSS. Network Security Services is a set of libraries supporting cross-platform development
• Libreswan. The free software implementation of the virtual private network (VPN) protocols
• Kernel Cryptographic API. A framework supporting secure communications to all parts of the Linux kernel
• Kernel Cryptographic API with CPAFC. Red Hat describes this module as "The Linux kernel Crypto API implemented in Red Hat Enterprise. Linux 7.1 provides services operating inside the Linux kernel with various ciphers, message digests and an approved random number generator"
• GnuTLS. GnuTLS is a secure communications library implementing the SSL, TLS and DTLS protocols and technologies around them

Certified Configurations
The Red Hat Enterprise Linux 7.1 modules retain FIPS 140-2 certification when running on these hardware configurations:

• HPE ProLiant DL380p Gen8 with PAA
• HPE ProLiant DL380p Gen8 without PAA
• IBM Power8 Little Endian 8286-41A
• IBM z13 (single-user mode)

Dan's Take: Starting With A Secure Base
FIPS 140-2 is a very important standard, and compliance is a requirement for Red Hat and all other operating environment providers selling to U.S. and Canadian government agencies. European and Australian agencies take notice of these standards as well.

This is a "gate fee" merely to get in the game of selling solutions to these agencies, not a guarantee of a sale.

Red Hat, Microsoft, IBM and others have developed tools to comply with this standard and have had their products tested.

I'd suggest that enterprises take note of this capability, as the Internet has become a rather unfriendly place. I'd also point out that security really should be built in, rather than added on after the fact.