Skip to content
Building REST API Microservices

FIPS

1. Introduction

FIPS (Federal Information Processing Standards) are publicly recognized standards developed by the United States federal government to ensure that cryptographic modules and security protocols meet strict security and compliance requirements. These standards are crucial for protecting sensitive data in government and regulated industries, such as finance and healthcare. FIPS-compliant implementations are particularly important in the context of REST API security, as they provide validated cryptographic methods that protect data integrity, confidentiality, and authenticity. This chapter explores FIPS standards, their relevance to API security, and best practices for implementing FIPS-compliant solutions.

2. What is FIPS?

FIPS Overview

FIPS standards are developed and published by the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce. These standards apply to various aspects of information security, including encryption, hashing, digital signatures, and secure key management. The most relevant standards for REST API security involve cryptographic algorithms and protocols.

Key FIPS Standards Related to API Security:

  1. FIPS 140-2 / FIPS 140-3: Security requirements for cryptographic modules, including hardware and software components that provide cryptographic services such as encryption, decryption, digital signatures, and key management.

  2. FIPS 197: Specifies the Advanced Encryption Standard (AES), which is widely used for data encryption in REST APIs.

  3. FIPS 180-4: Defines the Secure Hash Standard (SHS), including SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512, which are used for secure hashing in APIs.

  4. FIPS 186-4: Specifies the Digital Signature Algorithm (DSA), Elliptic Curve Digital Signature Algorithm (ECDSA), and RSA, used for digital signatures in securing API communications.

  5. FIPS 202: Defines the SHA-3 family of hashing algorithms, providing an additional level of security for APIs that require newer cryptographic methods.

3. Relevance of FIPS to API Security

FIPS standards are crucial for organizations that must comply with federal regulations or are operating in industries that demand high security, such as healthcare (HIPAA compliance), finance, and government sectors. Implementing FIPS-compliant cryptographic algorithms and modules helps ensure that APIs meet rigorous security standards and provide a high level of data protection.

Key Benefits of FIPS in API Security:

  1. Validated Cryptography: FIPS-compliant cryptographic modules are rigorously tested and validated to ensure they provide strong protection against known vulnerabilities and weaknesses.

  2. Regulatory Compliance: Many industries and government contracts mandate the use of FIPS-compliant cryptography to protect sensitive data. Adopting FIPS standards helps organizations meet these regulatory requirements.

  3. Enhanced Security Posture: By using FIPS-validated cryptography, APIs benefit from robust, vetted algorithms that improve data security and protect against unauthorized access.

  4. Trust and Assurance: Using FIPS-compliant solutions provides assurance to clients, partners, and regulatory bodies that security measures meet the highest standards of data protection.

4. Implementing FIPS-Compliant Cryptography in REST APIs

To implement FIPS-compliant security in REST APIs, it is essential to use cryptographic libraries and modules that are validated under FIPS standards. Below are key steps and examples of how to achieve FIPS compliance in a Node.js environment with the Fastify framework.

1. Configuring Node.js for FIPS Compliance

Node.js can be configured to operate in FIPS mode if it is built against a FIPS-validated OpenSSL library. This configuration ensures that all cryptographic operations use FIPS-approved algorithms and implementations.

Steps to Enable FIPS Mode in Node.js:

  1. Build Node.js with FIPS-enabled OpenSSL: Use the FIPS-compliant version of OpenSSL when compiling Node.js to enable FIPS mode.

  2. Enable FIPS Mode at Runtime: Enable FIPS mode by setting the environment variable NODE_OPTIONS=--enable-fips.

Example Configuration:

Terminal window
# Enable FIPS mode in Node.js
export NODE_OPTIONS=--enable-fips
node your-fips-compliant-api.js

2. Using FIPS-Compliant Cryptography in Node.js

Node.js provides native support for cryptographic operations, but ensuring that the cryptographic operations are FIPS-compliant requires careful selection of algorithms and parameters.

Example: FIPS-Compliant AES Encryption

const fastify = require("fastify")({ logger: true });
const crypto = require("crypto");


// Ensure that Node.js is running in FIPS mode
if (!crypto.getFips()) {
  throw new Error(
    "FIPS mode is not enabled. Ensure Node.js is built with FIPS-enabled OpenSSL."
  );
}


// FIPS-compliant AES encryption settings
const algorithm = "aes-256-cbc";
const key = crypto.randomBytes(32); // 256-bit key
const iv = crypto.randomBytes(16); // 128-bit initialization vector


// Function to encrypt data
function encryptData(payload) {
  const cipher = crypto.createCipheriv(algorithm, key, iv);
  let encrypted = cipher.update(JSON.stringify(payload), "utf8", "hex");
  encrypted += cipher.final("hex");
  return { iv: iv.toString("hex"), encryptedData: encrypted };
}


// Function to decrypt data
function decryptData(encryptedPayload) {
  const decipher = crypto.createDecipheriv(
    algorithm,
    key,
    Buffer.from(encryptedPayload.iv, "hex")
  );
  let decrypted = decipher.update(
    encryptedPayload.encryptedData,
    "hex",
    "utf8"
  );
  decrypted += decipher.final("utf8");
  return JSON.parse(decrypted);
}


// Route to encrypt and send data
fastify.post("/send-encrypted", async (request, reply) => {
  const payload = request.body;
  const encryptedPayload = encryptData(payload);
  return { message: "Payload encrypted successfully", encryptedPayload };
});


// Route to decrypt received data
fastify.post("/receive-encrypted", async (request, reply) => {
  const encryptedPayload = request.body;
  const decryptedPayload = decryptData(encryptedPayload);
  return { message: "Payload decrypted successfully", decryptedPayload };
});


// Start the Fastify server
fastify.listen({ port: 3000 }, (err, address) => {
  if (err) {
    fastify.log.error(err);
    process.exit(1);
  }
  fastify.log.info(`Server running at ${address}`);
});

Key Points in the Example:

  • FIPS Mode Check: The code checks whether Node.js is running in FIPS mode using crypto.getFips(). This ensures that the cryptographic operations meet FIPS standards.
  • FIPS-Approved Algorithms: The AES-256-CBC algorithm is FIPS-approved, providing strong encryption for payloads.
  • Secure Key Management: Keys are securely generated using cryptographic random bytes, adhering to FIPS requirements.

5. Best Practices for Implementing FIPS Compliance in APIs

  1. Use FIPS-Validated Cryptographic Libraries

    • Ensure that all cryptographic operations in your API use FIPS-validated libraries and modules. For Node.js, this means building against a FIPS-enabled version of OpenSSL.

  2. Enable FIPS Mode Correctly

    • Properly configure your environment to run in FIPS mode. Check that the FIPS flag is enabled during runtime, ensuring that all cryptographic functions adhere to FIPS standards.

  3. Audit and Validate Configurations

    • Regularly audit your API’s cryptographic configurations to ensure they remain FIPS-compliant. Validate that the correct algorithms, key lengths, and parameters are used consistently.

  4. Implement Key Management Best Practices

    • Use secure key management solutions such as hardware security modules (HSMs) or cloud-based key management services (e.g., AWS KMS) that are FIPS-certified to store, rotate, and manage cryptographic keys.

  5. Stay Up-to-Date with FIPS Requirements

    • Keep up with changes to FIPS standards, including updates to approved algorithms and compliance guidelines. Regularly review and update your cryptographic modules to meet the latest FIPS requirements.

  6. Educate Development Teams on FIPS Compliance

    • Train developers on the importance of FIPS compliance, including which algorithms and configurations are approved. Ensure that all team members understand how to maintain FIPS-compliant code.

6. Conclusion

FIPS compliance is a critical component of API security for organizations that handle sensitive data or operate in regulated environments. By implementing FIPS-validated cryptographic modules and adhering to best practices, APIs can provide robust security, meet regulatory requirements, and protect sensitive information against unauthorized access. Ensuring FIPS compliance enhances trust, security, and resilience in REST API implementations, providing a solid foundation for secure data processing and communication.