[tux3]

Isn't the point of FIPS accreditation that the organization wants to prioritize compliance over functionality/security?

A FIPS device being unpatched or broken for a few months almost seems like the natural state of things, at this point.

[josephcsible]

Yes, 100% this. The best evidence is probably that Dual_EC_DRBG got FIPS approval, but ChaCha20/Poly1305 and Curve25519 have not.

[tptacek]

https://csrc.nist.gov/publications/detail/fips/186/5/draft

[xyzzy123]

This is a great start. More or less all web sites are technically non-compliant with Australian government security standards (ISM) because TLS has diverged so widely from NIST and those standards dictate NIST approved cryptography.

Nobody cares, of course, but it causes pointless conversations and wasted time with auditors.

[tptacek]

I'm just pointing it out because I once confidently stated that Curve25519 illustrates everything that is wrong with FIPS, which would, on principle, never accept it, and was thoroughly served with the existence of this document. :)

(FIPS is very bad).

[xyzzy123]

I just want to run a "best-practice-ish" TLS setup and have that be compliant :(

Re: FIPS, agree that it is fractally bad [Fully realise I am preaching to choir].

The funny/sad part is that there are financial incentives to be able to say "yes" to customers inquiring about "FIPS compliance" which perpetuates the sham. Service providers (e.g. Amazon, Azure) then necessarily apply "compliance lawyering" (selective interpretation and omission) to give themselves a tick in the box. They can get away with this because their customers are also only pretending to care.

All this serves to create a false impression that "FIPS compliance" might be a real property of nontrivial systems rather than a form of expensive signalling.

I had a longer rant about that here: https://news.ycombinator.com/item?id=15215756

[jstrom]

My experience with HW HSMs has been that the FIPS process is so expensive that companies are only willing to put out a new FIPS-certified version once year. Also the certification itself seems to be more concerned with high-level security requirements rather than proof that any particular features of your HSM work correctly.

So the answer to any particular bug is typically wait until next year's version which includes all bug fixes that the normal releases have built up over the past year, or re-evaluate if you really need the certification.

[kstrauser]

It is. You can be secure or you can be FIPS-compliant, but not both.

[rsj_hn]

That is a pretty skewed interpretation. FIPS mode does things for you like flag uses of the same private key for encryption and authentication, it prevents the use of weak keys, and prevents use of hobbyist or non-approved algorithms including some sketchy PRNGs. The executable signing also makes monkey-patching harder, so it's more difficult to hook into an implementation and compromise it without detecting this at the compilation stage. That can and does have real security benefits.

The downside of FIPS mode is that because the certification process is so costly and time consuming, it will generally run behind and not get the latest algorithms until a few years have passed. That type of conservatism in cryptography can be good or bad, but overall I'd rather use a FIPS system than not, given the large number of dubious systems in use, and the FIPS system will be more secure than the average non-FIPS system, but less secure than a non-FIPS system carefully reviewed by experts.

[josephcsible]

> prevents use of hobbyist or non-approved algorithms including some sketchy PRNGs

It prevents use of good algorithms like ChaCha20/Poly1305, and it allowed the sketchiest PRNG of them all: Dual_EC_DRBG.

> The executable signing also makes monkey-patching harder

Monkey-patching means patching at runtime. This is just as easy to do after the signature has already been verified.

> it will generally run behind and not get the latest algorithms until a few years have passed

It also won't get fixes for vulnerabilities until a few years have passed.