It's interesting and kind of neat in an inside-baseball way that the standard Go cryptographic library (already unusual in the major languages for being a soup-to-nuts implementation rather than wrappers around an OpenSSL) is almost fully NIST-validated; in particular, it means vendors who want to sell into FedGov can confidently build with the Go standard library.
Having said all this: nobody should be using crypto/fips140 unless they know specifically why they're doing that. Even in its 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov idiosyncrasies.
> Having said all this: nobody should be using crypto/fips140 unless they know specifically why they're doing that. Even in its 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov idiosyncrasies.
Not really. It isn't hard to use FIPS validated software, it's just annoying to do because most libraries you would want to use aren't FIPS compliant by default for good reasons. If you can get a government contract in the first place you are already administratively competent enough to use FIPS.
Does that mean it might be easier, regardless of language, to shell out to your cryptographic Go binary rather than deal with OpenSSL? I dislike a lot of Go, but they have been pretty good about backwards compatibility.
> already unusual in the major languages for being a soup-to-nuts implementation rather than wrappers around an OpenSSL
What does "Soup-to-nuts" require in this context? Should I expect that Go has for some reason re-implemented the x86-64 machine code to do ChaCha20 or do you still consider it a "Soup-to-nuts" implementation if they reuse the same machine code for this that you'd find in everybody else's implementation so long as they wrote their own wrapper code ?
Unlike say compression there's no real room in these core features to innovate. You can't pick different "nothing up my sleeve" numbers, you can't can't offer more parametrisation, anything like that would be an incompatibility - it's intentionally a standardized component.
Off the top of my head, there might be some old assembly by Andy Polyakov and by Vlad Krasnov that was contributed to both Go and OpenSSL. Even there, we’ve been working for years to port hand-written assembly to higher level generators, and there’s not as much as you’d think. Everything else is original.
Besides integrating properly with Go applications, this lets us optimize for readability and correctness, with IMHO excellent empirical results.
The "Uncompromising Security" section[1] is particularly interesting to me. FIPS-140 compliance usually leads to reduced security, but it looks like the Go team found ways around the main janky bits. It's nice that there's now a FIPS-140 module for FedRAMP that doesn't require avoiding VMs to stay secure, for example.
Part of the issue was that there are multiple FIPS-140 versions, and the Go support is for FIPS-140-3, which is honestly quite updated and less annoying. To the point I actually recommended running our entire environment (for a pretty big cloud company) FIPS-140-3 mode (maybe not fully compliant for everything, but essentially going with "FIPS-140-3 as default but outside of FedRAMP we're not going to consider it a breaking change if it doesn't pass") because the only thing we might really be missing was ChaCha ciphers which mainly would impact clients running from mobile devices or otherwise lacking in power/AES accelleration... and we had no such clients
This is huge. I’ve spent years jumping through hoops to get Go projects signed off for FIPS-140 and I always worried that something was going to go wrong and we’d have a compliance nightmare on our hands. They just made it super easy.
Yes. Any language that dynamically links to the OS crypto library (like OpenSSL) is more attractive because your Government customer can install your software on their OS with their FIPS compliant OS crypto library.
This moves the needle for Go but you still need to cut a FIPS version of your software since this crypto is still statically linked. I like this option quite a bit if the Government customers get on board with it.
There are some Go forks maintained by Microsoft and RedHat I believe that do dynamic linking for crypto which requires CGO.
Companies don't need any additional reasons to skimp out on security.
The money could probably be more wisely spent if not following FIPS but without FIPS the average company wouldn't direct that money towards security at all.
There's a difference between FIPS validation and FIPS-approved algorithms. We can say "you have to use the FIPS-approved algorithms", but skip the useless validation step.
I’m curious to understand what implications this will have on Go and where it is used? How does this differ to other languages as well? I don’t fully understand what it will mean for Go and its community
It means companies with US government contracts writing Go code can use the standard library crypto package in native Go instead if having to enable CGO and using a crypto library written in C. CGO is kind of a pain in the ass to develop with compared to fully native Go code, especially when cross-compiling (and cross compilation is very common now that ARM is common on both laptops and servers).
This also now makes Go a very convenient language to write US Gov software in.
If you have never heard of FIPS before ignore this entirely and continue to live in happiness.
No, the Go 1.24 native module effort that they talk about in https://devblogs.microsoft.com/go/go-1-24-fips-update/ is this effort, which Microsoft was not involved in. We simply decided to delay the official announcement until the module reached the In Process list.
The system libraries approach used by Microsoft Go is cgo based IIUC, and I think derived from Go+BoringCrypto. I understand they are working on migrating their bindings to fit better downstream of the new native mode.
Does the use of the library in your application still require the application itself to be FIPS validated? This just makes it a little easier to go through full, validated NIST compliance, right?.
[ Big I am a cryptographer, not your cryptographer disclaimer ]
It depends, but if you are targeting Security Level 1 (which is what most folks think about when they think about FIPS 140) you generally don't need your entire application to be validated, only the cryptographic module.
So (again, depending on your requirements and on the Operating Environment you deploy to and on what algorithms you use and how) setting GOFIPS140 might actually be all you need to do.
Readit News
Having said all this: nobody should be using crypto/fips140 unless they know specifically why they're doing that. Even in its 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov idiosyncrasies.
https://go.dev/doc/security/fips140
Yup.
What should folks use then?
What does "Soup-to-nuts" require in this context? Should I expect that Go has for some reason re-implemented the x86-64 machine code to do ChaCha20 or do you still consider it a "Soup-to-nuts" implementation if they reuse the same machine code for this that you'd find in everybody else's implementation so long as they wrote their own wrapper code ?
Unlike say compression there's no real room in these core features to innovate. You can't pick different "nothing up my sleeve" numbers, you can't can't offer more parametrisation, anything like that would be an incompatibility - it's intentionally a standardized component.
Besides integrating properly with Go applications, this lets us optimize for readability and correctness, with IMHO excellent empirical results.
https://words.filippo.io/a-literate-go-implementation-of-pol...
https://go.dev/blog/tob-crypto-audit
https://www.youtube.com/watch?v=lkEH3V3PkS0
[1] https://go.dev/blog/fips140#uncompromising-security
This moves the needle for Go but you still need to cut a FIPS version of your software since this crypto is still statically linked. I like this option quite a bit if the Government customers get on board with it.
There are some Go forks maintained by Microsoft and RedHat I believe that do dynamic linking for crypto which requires CGO.
The money could probably be more wisely spent if not following FIPS but without FIPS the average company wouldn't direct that money towards security at all.
This also now makes Go a very convenient language to write US Gov software in.
If you have never heard of FIPS before ignore this entirely and continue to live in happiness.
This is something I wondered. Will we now see even more adoption of Go? Will Go be a more attractive option compared to language X/Yv
Deleted Comment
The system libraries approach used by Microsoft Go is cgo based IIUC, and I think derived from Go+BoringCrypto. I understand they are working on migrating their bindings to fit better downstream of the new native mode.
It's based on OpenSSL
It depends, but if you are targeting Security Level 1 (which is what most folks think about when they think about FIPS 140) you generally don't need your entire application to be validated, only the cryptographic module.
So (again, depending on your requirements and on the Operating Environment you deploy to and on what algorithms you use and how) setting GOFIPS140 might actually be all you need to do.