summaryrefslogtreecommitdiff
path: root/doc/rst/legacy/fips_mode_-_an_explanation/index.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rst/legacy/fips_mode_-_an_explanation/index.rst')
-rw-r--r--doc/rst/legacy/fips_mode_-_an_explanation/index.rst129
1 files changed, 129 insertions, 0 deletions
diff --git a/doc/rst/legacy/fips_mode_-_an_explanation/index.rst b/doc/rst/legacy/fips_mode_-_an_explanation/index.rst
new file mode 100644
index 000000000..9665ce331
--- /dev/null
+++ b/doc/rst/legacy/fips_mode_-_an_explanation/index.rst
@@ -0,0 +1,129 @@
+.. _mozilla_projects_nss_fips_mode_-_an_explanation:
+
+FIPS Mode - an explanation
+==========================
+
+.. container::
+
+ NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla
+ does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an
+ informal explanation of what it is, who would use it, and why. 
+
+.. _what's_a_fips:
+
+`What's a FIPS? <#what's_a_fips>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ The United States government defines many (several hundred) "Federal Information Processing
+ Standard" (FIPS) documents.  (FIPS sounds plural, but is singular; one FIPS document is a FIPS,
+ not a FIP.)  FIPS documents define rules, regulations, and standards for many aspects of handling
+ of information by computers and by people.  They apply to all US government employees and
+ personnel, including soldiers in the armed forces.  Generally speaking, any use of a computer by
+ US government personnel must conform to all the relevant FIPS regulations.  If you're a
+ US government worker, and you want to use a Mozilla software product such as Firefox, or any
+ product that uses NSS, you will want to use it in a way that is fully conformant with all the
+ relevant FIPS regulations.  Some other governments have also adopted many of the FIPS
+ regulations, so their applicability is somewhat wider than just the US government's personnel.
+
+.. _what_is_fips_mode:
+
+`What is "FIPS Mode"? <#what_is_fips_mode>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. 
+ It requires that ALL cryptography done by US government personnel MUST be done in "devices" that
+ have been independently tested, and certified by NIST, to meet the extensive requirements of that
+ document.  These devices may be hardware or software, but either way, they must function and
+ behave as prescribed.  So, in order for Mozilla Firefox and Thunderbird to be usable by people
+ who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate
+ in a mode that is fully compliant with FIPS 140.  To that end, Mozilla products can function in a
+ "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS.  (Note,
+ the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2.  FIPS 140-3 is being devised by
+ NIST now for adoption in the future.)  Users who are subject to the FIPS regulations must ensure
+ that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully
+ conformant.  Instructions for how to configure Firefox into FIPS mode may be found on
+ `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__.
+
+.. _is_nss_fips-140_compliant:
+
+`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Mozilla's NSS cryptographic software has been tested by government-approved independent testing
+ labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous
+ occasions.  As of this writing, NSS is now being retested to be recertified for the fifth time. 
+ NSS was the first open source cryptographic library to be FIPS certified.  
+
+.. _what_is_fips_mode_all_about:
+
+`What is FIPS Mode all about?  <#what_is_fips_mode_all_about>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified
+ "device".  Whether it is hardware or software, that device will have all the cryptographic
+ engines in it, and also will stores keys and perhaps certificates inside.  The device must have a
+ way for users to authenticate to it (to "login" to it), to prove to it that they are authorized
+ to use the cryptographic engines and keys it contains.  It may not do ANY cryptographic
+ operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates
+ it holds to be seen or used, except when a user has successfully authenticated to it.  If users
+ authenticate to it with a password, it must ensure that their passwords are strong passwords.  It
+ must implement the US government standard algorithms (also specified in other FIPS documents)
+ such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application
+ wants it to perform.  It must generate or derive cryptographic keys and store them internally. 
+ Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless
+ they are encrypted ("wrapped") in a special way.  This makes it difficult to move keys from one
+ device to another, and consequently, all crypto engines and key storage must be in a single
+ device rather than being split up into several devices.
+
+.. _how_does_this_affect_firefox_users:
+
+`How does this affect Firefox users? <#how_does_this_affect_firefox_users>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ These requirements have several implications for users.  In FIPS Mode, every user must have a
+ good strong "master password", and must enter it each time they start or restart Firefox before
+ they can visit any web sites that use cryptography (https).  Firefox can only use the latest
+ version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can
+ only talk to those servers that use FIPS standard encryption algorithms such as AES or
+ triple-DES.  Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used
+ in FIPS mode.  
+
+.. _how_is_fips_mode_different_from_normal_non-fips_mode:
+
+`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short
+ password.  The user is only required to enter his master password to use his own private keys (if
+ he has any) or to access his stored web-site passwords.  The user is not required to enter the
+ master password to visit ordinary https servers, nor to view certificates he has previously
+ stored.  In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic
+ algorithms, such as RC4 and MD5, to communicate with older https servers.  NSS divides its
+ operations up into two "devices" rather than just one.  One device does all the operations that
+ may be done without needing to authenticate, and the other device stores the user's certificates
+ and private keys and performs operations that use those private keys.
+
+.. _how_do_i_put_firefox_into_fips_mode:
+
+`How do I put Firefox into FIPS Mode? <#how_do_i_put_firefox_into_fips_mode>`__
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. container::
+
+ Instructions for how to configure Firefox into FIPS mode may be found on
+ `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__.
+ Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the
+ NSS
+ wiki <https://wiki.mozilla.org/FIPS_Validation#Products_Implementing_FIPS_140-2_Validated_NSS>`__. \ No newline at end of file