Is RTI Connext DDS Secure FIPS-140 compliant?

 

The FIPS 140-2 standard applies to specific implementations of cryptographic modules. NIST validates modules for FIPS 140-2 compliance.

The built-in security plugins included with RTI Connext DDS Secure use the standard distribution of OpenSSL for cryptography. This OpenSSL distribution is not FIPS 140-2 validated.

To make RTI Connext DDS Secure comply with FIPS 140-2, a user will need to replace the standard OpenSSL cryptographic modules with FIPS 140-2 validated modules. There are two ways of doing this:

  1. Via a third-party OpenSSL cryptographic plugin that is FIPS 140-2 compliant. This change can be made without affecting the  Connext DDS built-in plugins because the third-party cryptographic module would be called by OpenSSL underneath. RTI has integrated Certicom and Microsoft CNG FIPS 140-2 validated modules this way. Certicom is supported out of the box with Secure DDS 5.1.1.3. And the  plugin for Microsoft CNG is available through  RTI support (email [email protected]).  

  2. Via a custom RTI cryptographic plugin that replaces OpenSSL. RTI has done integration with other FIPS 140-2 validated cryptographic libraries using this approach, for example, the ones provided by Morcana. Details are also available by contacting  [email protected].   

The most expeditious solution is typically to identify if there are already validated modules that run on the specific platform (operating system/processor) desired. The validated module list is here: http://csrc.nist.gov/groups/STM/cmvp/validation.html

If you use a FIPS 140-2 validated module that is already a plugin to OpenSSL, such as Certicom, then  Connext DDS Secure is you all you need. That is, you do not need the RTI Secure DDS Plugin SDK. This is because the plugins built-in to Connext DDS Secure call OpenSSL and OpenSSL calls the cryptographic module.

If you want to use a FIPS-140 validated cryptographic module that is not already a plugin to OpenSSL, there are two options:

  • Write an OpenSSL interface to the FIPS-14 cryptographic module, as RTI did with Microsoft CNG. This again does not require the RTI Secure DDS Plugin SDK.

  • Write a custom DDS Security Plugin, replacing the OpenSSL-based built-in ones with new the use of the FIPS-140 cryptographic module. This approach does require RTI Secure DDS Plugin SDK which is a separate add-on product to the Connext DDS Secure.

Gerardo