Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
3.2.x
  • Home icon
  • Kong Gateway
  • Kong Enterprise
  • About FIPS 140-2 Compliance in Kong Gateway
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.4.x (latest)
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • FIPS implementation
    • Password hashing
    • Non-cryptographic usage of cryptographic algorithms
    • SSL client
You are browsing documentation for an outdated version. See the latest documentation here.

About FIPS 140-2 Compliance in Kong Gateway

The Federal Information Processing Standard (FIPS) 140-2 is a federal standard defined by the National Institute of Standards and Technology. It specifies the security requirements that must be satisfied by a cryptographic module. The FIPS Kong Gateway package is FIPS 140-2 compliant. Compliance means that Kong Gateway only uses FIPS 140-2 approved algorithms while running in FIPS mode, but the product has not been submitted to a NIST testing lab for validation.

Kong Enterprise provides a FIPS 140-2 compliant package for Ubuntu 20.04, Ubuntu 22.04, and Red Hat Enterprise 8. This package provides compliance for the core Kong Gateway product and all out of the box plugins .

The package replaces OpenSSL, the primary SSL library in Kong Gateway, with BoringSSL, which at its core uses the FIPS 140-2 validated BoringCrypto for cryptographic operations.

FIPS implementation

Password hashing

The following table describes how Kong Gateway uses key derivation functions:

Component Normal mode FIPS mode Notes
core/rbac bcrypt PBKDF2 1 PBKDF2 in BoringSSL isn’t FIPS validated.
plugins/oauth2 2 Argon2 or bcrypt (when hash_secret=true) Disabled (hash_secret can’t be set to true) PBKDF2 in BoringSSL isn’t FIPS validated.
plugins/key-auth-enc 3 SHA1 SHA256 SHA1 is read-only in FIPS mode.

[1]: As of Kong Gateway FIPS 3.0, RBAC uses PBKDF2 as password hashing algorithm.

[2]: As of Kong Gateway FIPS 3.1, the oauth2 plugin disables hash_secret feature, so the user can’t turn it on. This means password will be stored plaintext in the database; however, users can choose to use secrets management or db encryption instead.

[3]: As of Kong Gateway FIPS 3.1, key-auth-enc uses SHA1 to speed up lookup of a key in DB. As of Kong Gateway FIPS 3.2, SHA1 support is “read-only”, meaning existing credentials in DB are still validated, but any new credentials will be hashed in SHA256.

Important: If you are migrating from Kong Gateway 3.1 to 3.2 in FIPS mode and are using the key-auth-enc plugin, you should send PATCH or POST requests to all existing key-auth-enc credentials to re-hash them in SHA256.

Non-cryptographic usage of cryptographic algorithms

FIPS only defines the approved algorithms to use for each specific purpose, so FIPS policy doesn’t explicitly restrict the usage of cryptographic algorithms to only cases where they are necessary.

For example, using SHA256 as the message digest algorithm is approved while using MD5 is not. But that doesn’t mean MD5 can’t exist in the application at all. For example, the FIPS 140-2 approved BoringSSL version allows MD5 when it’s used with the TLS protocol version 1.0 and 1.1.

The following table explains where cryptographic algorithms are used for non-cryptographic purposes in Kong Gateway:

Component Normal mode FIPS mode Notes
core/balancer xxhash32 xxhash32 Use to generate a unique identifier.
core/balancer crc32 crc32 crc32 isn’t message digest.
core/uuid Lua random number generator Lua random number generator The RNG isn’t used for cryptographic purposes.
core/declarative_config/uuid UUIDv5 (namespaced SHA1) UUIDv5 (namespaced SHA1) Used to generate a unique identifier.
core/declarative_config/config_hash and core/hybrid/hashes MD5 MD5 Used to generate a unique identifier.

SSL client

FIPS 140-2 only mentioned SSL server, which is already supported in Kong Gateway FIPS 3.0. FIPS specification isn’t designated for SSL clients, so there isn’t specific handling of these in Kong Gateway.

This includes:

  • Using Lua to talk in HTTPS and PostgreSQL SSL
  • Using Lua to talk in HTTPS, PostgreSQL SSL, and Cassandra SSL

  • Using an upstream that proxies in HTTPS
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023