FIPS Compliance #3292
Comments
|
Very supportive to try to make Altair available in more restrictive environments. Could you tell a bit more about this FIPS-compliant environment? How do we know we adhere to their principles? |
|
Hello @mattijn absolutely! FIPS is a US Federal standard for encryption (https://en.wikipedia.org/wiki/FIPS_140). In FIPS-compliant environments it disables encryption algorithms that are known to be vulnerable, like md5 (Please refer to "Collision vulnerabilities" here https://en.wikipedia.org/wiki/MD5). Most high-compliance environments that work with data (ie - healthcare, finance, government) require systems and applications to be FIPS-enabled. In order for applications to successfully run in a FIPS-enabled environment, they must use only approved cryptographic algorithms (ie - sha256, aes, rsa, etc...). I've submitted patches for several open source projects based on our needs to run in these high-compliance environments. Sometimes this can be as simple as changing md5 to sha256, but also depends on how the hashes are used in the project. I appreciate the feedback on this! I'm not sure how to fully test based on these updates that I've submitted so the implications of my updates will need to be tested and vetted properly. Thanks! |
|
Closing since #3291 was merged |
Hello!
I'd like to run altair in a FIPS-compiant environment, however the use of md5 causes the library to fail:
I submitted the following PR in the hopes that this could start to work towards a FIPS compliant library, thanks!
#3291
The text was updated successfully, but these errors were encountered: