Note: The default version of Backyards is built with the standard SSL libraries. If you’d like to use an FIPS-compliant version of Istio/Backyards, contact us.

Overview 🔗︎

The Backyards Istio distribution provides compliance with the rules for cryptographic modules of FIPS 140-2 Security Level 1. To achieve this, Backyards provides the following measures:

  • Backyards is built using a FIPS-compliant library (BoringCrypto).
  • Envoy is built with the same FIPS-compliant library (BoringCrypto).
  • Backyards delivers a custom Istio build, using the same FIPS-compliant library (BoringCrypto).
  • For certificate management, Backyards uses a version of cert-manager built with the same FIPS-compliant library (BoringCrypto).
  • Backyards is tested with FIPS 140-2 compliant cipher suites (and rejects anything else).
  • Although FIPS 140 allows other ciphers, Backyards only GCM ciphers are enabled, because only those can prevent the SSL LUCKY13 timing attack.
  • BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated.

FIPS 140-2 compliant Backyards TLS settings 🔗︎

Allowed TLS versions

  • TLS v1.2
  • TLS v1.3

Although FIPS 140-2 would allow lower TLS versions under some circumstances, we disabled them for security reasons. TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. The IETF is also planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.

Allowed FIPS compatible ciphers

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384

There are more ciphers allowed by FIPS 140-2. We only enable GCM ciphers, because only those ciphers can prevent a LUCKY13 timing attack

Allowed Elliptic-curve algorithm

  • P-256