Java and FIPS

Speakers: Pushkar Kulkarni & Vladimir Petko

Track: Security

Type: Long talk (45 minutes)

Room: Anamudi

Time: Sep 15 (Fri): 15:30

Duration: 0:40

US Federal agencies purchasing software or hardware, that is based on cryptography algorithms, mandate that it be FIPS (Federal Information Processing Standards) 140-2/140-3 certified under the Cryptography Module Validation Program. While commercial distributions of Linux and the native cryptography modules are FIPS certified, a language runtime like Java faces a unique challenge. The Java Cryptography Architecture lets users configure “cryptography providers”, which are implementations of a well-defined service provider interface for cryptography, for use in their applications. The absence of any such “open-source FIPS provider” under the OpenJDK project has led to fragmentation in the “Java and FIPS” space . Different commercial distributions of Java have adopted unique and proprietary FIPS solutions, leaving no room for collaboration.

In this session, we will walk through some information that describes the current state of the “Java and FIPS” world, we will share some of our FIPS plans for Java on Ubuntu, and seek feedback from the audience on a what could be good approaches to foster collaboration in this space.