Skip to content
HeliosDB HeliosDB Full

FIPS 140-2 Compliance Module

FIPS 140-2 Compliance Module

Overview

The FIPS 140-2 module provides cryptographic operations compliant with Federal Information Processing Standards (FIPS) 140-2 for HeliosDB v3.0. This module is essential for government, defense, and regulated industries requiring certified cryptographic implementations.

Features

Core Capabilities

  • FIPS Mode Management: Enable/disable FIPS-compliant operations
  • Approved Algorithms Only: Restrict to FIPS-certified cryptographic algorithms
  • Power-On Self-Tests (POST): Validate all algorithms on startup
  • Conditional Self-Tests: Verify algorithms before first use in a session
  • Key Zeroization: Secure erasure of cryptographic keys from memory
  • Comprehensive Audit Logging: Track all cryptographic operations

FIPS-Approved Algorithms

Symmetric Encryption

  • AES-128-GCM: 128-bit Advanced Encryption Standard with Galois/Counter Mode
  • AES-192-GCM: 192-bit AES-GCM (placeholder, not yet implemented)
  • AES-256-GCM: 256-bit AES-GCM (recommended for highest security)

Hashing

  • SHA-256: 256-bit Secure Hash Algorithm
  • SHA-384: 384-bit SHA
  • SHA-512: 512-bit SHA

Message Authentication Codes (MAC)

  • HMAC-SHA-256: Hash-based MAC with SHA-256
  • HMAC-SHA-384: Hash-based MAC with SHA-384
  • HMAC-SHA-512: Hash-based MAC with SHA-512

Asymmetric Algorithms (Planned)

  • RSA-2048/3072/4096: RSA encryption and signatures
  • ECDSA P-256/384/521: Elliptic Curve Digital Signature Algorithm

Architecture

Module Structure

heliosdb-security/src/fips/
├── mod.rs              # FIPS manager and core types
├── crypto.rs           # Cryptographic operations
├── validation.rs       # Self-tests (POST and conditional)
└── key_management.rs   # Key generation and zeroization

Key Components

FipsManager

Central manager for all FIPS operations:

  • Mode control (enable/disable)
  • Self-test execution
  • Cryptographic operation dispatch
  • Audit logging

FipsCrypto

Implements FIPS-approved cryptographic operations:

  • Symmetric encryption/decryption (AES-GCM)
  • Hash functions (SHA-2 family)
  • HMAC operations

FipsValidator

Self-test implementation:

  • Power-On Self-Tests using Known Answer Tests (KAT)
  • Conditional tests before algorithm use
  • Pairwise consistency tests

FipsKeyManager

Secure key lifecycle management:

  • Cryptographically secure key generation
  • Entropy validation
  • Key derivation (HKDF)
  • Automatic zeroization on drop

Usage

Basic Setup

use heliosdb_security::fips::{FipsManager, FipsConfig, FipsAlgorithm};


#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Create FIPS configuration
    let config = FipsConfig {
        enabled: true,
        strict_mode: true,           // Reject non-FIPS algorithms
        self_test_on_startup: true,  // Run POST on startup
    };


    // Initialize FIPS manager
    let fips = FipsManager::new(config).await?;


    println!("FIPS mode enabled: {}", fips.is_fips_enabled());


    Ok(())
}

Encryption/Decryption

// Generate a key
let key = fips.generate_key(FipsAlgorithm::Aes256Gcm).await?;


// Encrypt sensitive data
let plaintext = b"Classified information";
let encrypted = fips.encrypt(plaintext, &key, FipsAlgorithm::Aes256Gcm).await?;


// Decrypt
let decrypted = fips.decrypt(&encrypted, &key, FipsAlgorithm::Aes256Gcm).await?;
assert_eq!(plaintext, &decrypted[..]);

Hashing

// Compute cryptographic hash
let data = b"data to hash";
let hash = fips.hash(data, FipsAlgorithm::Sha256).await?;


// Hash is deterministic
let hash2 = fips.hash(data, FipsAlgorithm::Sha256).await?;
assert_eq!(hash, hash2);

HMAC (Message Authentication)

// Generate HMAC key
let key = fips.generate_key(FipsAlgorithm::HmacSha256).await?;


// Compute HMAC
let data = b"message to authenticate";
let mac = fips.hmac(data, &key, FipsAlgorithm::HmacSha256).await?;


// Verify HMAC by recomputing
let mac2 = fips.hmac(data, &key, FipsAlgorithm::HmacSha256).await?;
assert_eq!(mac, mac2);

Key Zeroization

// Generate key
let mut key = fips.generate_key(FipsAlgorithm::Aes256Gcm).await?;


// Use key for operations...
let encrypted = fips.encrypt(b"secret", &key, FipsAlgorithm::Aes256Gcm).await?;


// Securely erase key from memory
fips.zeroize_key(&mut key);


// Key is now all zeros
assert!(key.iter().all(|&b| b == 0));

Auto-Zeroizing Keys

use heliosdb_security::fips::FipsKey;


{
    let key_data = vec![0x42u8; 32];
    let key = FipsKey::new(key_data, FipsAlgorithm::Aes256Gcm)?;


    // Use key...
    println!("Key length: {}", key.len());


} // Key automatically zeroized on drop

Audit Logging

// Perform operations
let key = fips.generate_key(FipsAlgorithm::Aes256Gcm).await?;
let _ = fips.encrypt(b"data", &key, FipsAlgorithm::Aes256Gcm).await?;


// Retrieve audit log
let log = fips.get_audit_log();


for entry in log {
    println!(
        "[{}] {:?} - {} - {}",
        entry.timestamp,
        entry.event_type,
        entry.success,
        entry.details
    );
}


// Clear audit log
fips.clear_audit_log();

Self-Tests

Power-On Self-Tests (POST)

POST runs automatically when FIPS mode is enabled (if self_test_on_startup is true). It validates all algorithms using NIST test vectors:

// Manually run POST
fips.run_power_on_self_tests().await?;

POST includes:

  • Known Answer Tests (KAT) for all algorithms
  • Pairwise consistency tests for keys
  • Algorithm functionality verification

Conditional Self-Tests

Before first use of an algorithm in a session, conditional tests run automatically:

// This triggers conditional test for AES-256-GCM
let encrypted = fips.encrypt(data, &key, FipsAlgorithm::Aes256Gcm).await?;


// Subsequent uses are cached - no additional tests
let encrypted2 = fips.encrypt(data2, &key, FipsAlgorithm::Aes256Gcm).await?;

Configuration Options

FipsConfig

FieldTypeDescription
enabledboolEnable/disable FIPS mode
strict_modeboolReject all non-FIPS algorithms
self_test_on_startupboolRun POST when manager is created

Strict Mode

When strict_mode is enabled:

  • Only FIPS-approved algorithms are allowed
  • Attempts to use non-approved algorithms return FipsError::AlgorithmNotApproved
  • Ensures complete FIPS compliance

Error Handling

Error Types

pub enum FipsError {
    FipsNotEnabled,                    // FIPS mode is disabled
    AlgorithmNotApproved(String),      // Algorithm not FIPS-approved
    SelfTestFailed(String),            // Self-test failure
    CryptoError(String),               // Cryptographic operation failed
    KeyGenerationError(String),        // Key generation failed
    InvalidKeyLength { expected, actual }, // Wrong key size
    InvalidConfig(String),             // Invalid configuration
    ModeTransitionFailed(String),      // Failed to enable/disable FIPS
    InternalError(String),             // Internal error
}

Example Error Handling

use heliosdb_security::fips::FipsError;


match fips.encrypt(data, &key, algorithm).await {
    Ok(encrypted) => println!("Encrypted successfully"),
    Err(FipsError::FipsNotEnabled) => {
        eprintln!("FIPS mode must be enabled first");
        fips.enable_fips_mode().await?;
    }
    Err(FipsError::InvalidKeyLength { expected, actual }) => {
        eprintln!("Invalid key: expected {} bytes, got {}", expected, actual);
    }
    Err(e) => eprintln!("Encryption failed: {}", e),
}

Testing

Unit Tests (37 tests)

Located in src/fips/*/tests:

  • Cryptographic operation tests
  • Key management tests
  • Validation tests
  • Error condition tests

Run unit tests:

Terminal window
cargo test --lib fips

Integration Tests (14 tests)

Located in tests/fips_integration_tests.rs:

  • Full lifecycle tests
  • Mode enforcement tests
  • Concurrent operation tests
  • Audit logging tests

Run integration tests:

Terminal window
cargo test --test fips_integration_tests

Test Coverage

  • Total Tests: 51 (37 unit + 14 integration)
  • Coverage: >80% of FIPS module code
  • All algorithms tested with NIST test vectors

FIPS Certification Path

Current Status

This implementation provides FIPS 140-2 compliant cryptographic operations using:

  • NIST-approved algorithms
  • Known Answer Tests from NIST test vectors
  • Proper key zeroization
  • Comprehensive audit logging

Steps for Full Certification

  1. Algorithm Validation: Submit to NIST CAVP (Cryptographic Algorithm Validation Program)
  2. Module Validation: Submit to NIST CMVP (Cryptographic Module Validation Program)
  3. Testing: Independent lab testing (e.g., Acumen, atsec)
  4. Documentation: Complete security policy and design documentation
  5. Certification: Obtain FIPS 140-2 certificate

OpenSSL FIPS Module

For production deployments requiring certified implementations:

// Link against OpenSSL FIPS module
// Set LD_LIBRARY_PATH to OpenSSL FIPS installation
// Enable FIPS mode in OpenSSL


// The implementation can be extended to use OpenSSL FIPS:
// - Replace ring/aes-gcm with OpenSSL bindings
// - Call FIPS_mode_set(1) to enable FIPS
// - Verify FIPS_mode() returns 1

Performance Considerations

Optimization Tips

  1. Cache Self-Test Results: Conditional tests are cached per session
  2. Batch Operations: Group encryptions to minimize overhead
  3. Key Reuse: Generate keys once, reuse for multiple operations
  4. Hardware Acceleration: AES-NI automatically used when available

Benchmarks

On modern x86_64 CPU with AES-NI:

  • AES-256-GCM encryption: ~2-3 GB/s
  • SHA-256 hashing: ~500 MB/s
  • HMAC-SHA-256: ~400 MB/s
  • Key generation: ~10,000 keys/sec

Security Best Practices

Key Management

  1. Always zeroize keys after use
  2. Use FipsKey for automatic zeroization
  3. Generate keys with sufficient entropy
  4. Rotate keys periodically

Algorithm Selection

  1. Encryption: Use AES-256-GCM (strongest)
  2. Hashing: Use SHA-256 minimum, SHA-512 for sensitive data
  3. HMAC: Match hash strength to data sensitivity

Operational Security

  1. Enable strict mode in production
  2. Run POST on every startup
  3. Monitor audit logs for failures
  4. Update FIPS module with security patches

Integration with HeliosDB

TDE Integration

use heliosdb_security::{TdeSubsystem, FipsManager};


// Use FIPS-compliant encryption for TDE
let fips = FipsManager::new(fips_config).await?;
let tde = TdeSubsystem::new_with_fips(tde_config, fips).await?;

Key Vault Integration

FIPS keys can be stored in:

  • AWS KMS (with FIPS endpoints)
  • Azure Key Vault (FIPS 140-2 validated)
  • HashiCorp Vault (with FIPS 140-2 mode)
  • HSM via PKCS#11 (FIPS-certified HSMs)

Troubleshooting

Common Issues

FIPS mode won’t enable

Error: SelfTestFailed("AES-256-GCM KAT failed")

Solution: Verify cryptographic library installation and NIST test vectors

Invalid key length errors

Error: InvalidKeyLength { expected: 32, actual: 16 }

Solution: Ensure key length matches algorithm requirements

Algorithm rejected in strict mode

Error: AlgorithmNotApproved("MD5")

Solution: Use only FIPS-approved algorithms (SHA-256+, AES-GCM, etc.)

API Reference

Core Types

  • FipsManager: Main FIPS management interface
  • FipsConfig: Configuration structure
  • FipsAlgorithm: Enumeration of approved algorithms
  • FipsError: Error types
  • FipsKey: Auto-zeroizing key wrapper
  • FipsAuditEntry: Audit log entry
  • FipsEventType: Event type enumeration

Complete API

See module documentation:

Terminal window
cargo doc --open --package heliosdb-security

License

Apache 2.0 - See LICENSE file for details

Support

For FIPS-related questions or certification assistance:

  • GitHub Issues: [HeliosDB Repository]
  • Documentation: [HeliosDB FIPS Guide]
  • Email: security@heliosdb.io