Currently, Tink is not FIPS 140-2 validated itself. However, it supports several FIPS 140-2 approved algorithms and the underlying implementations can utilize validated cryptographic modules like BoringSSLs BoringCrypto. Tink includes a WORKSPACE for building BoringSSL in FIPS mode.
The following algorithms in Tink are approved according to FIPS 140-2
Authenticated Encryption
MAC
Digital Signatures
If you are required to use FIPS 140-2 approved algorithms and validated implementations, then you can build Tink in FIPS only mode. This will restrict usage to approved algorithms and check if Tink is utilizing a validated cryptographic module.
Specifically this will change the behavior of Tink in the following way:
Register()
functions will only register algorithms which have a FIPS validated implementation. This means that you will only be able to use Keysets for algorithms which use a validated cryptographic module.INTERNAL
error when the module is not available.subtle/
will be restricted to algorithms which utilize a validated cryptographic module.Currently this is only supported in the C++ version of Tink.
If you are not building Tink in FIPS only mode, it will still utilize validated implementations for some algorithms but not restrict the usage of other algorithms.
Tink uses BoringCrypto in C++ to provide access to a validated cryptographic module. Note that this means that the following algorithms are not available, as they have not been validated:
In order to build Tink in FIPS-only mode, you can simply set a flag at compile time:
bazel build ... --define=use_only_fips=on
If you want to check at runtime whether Tink has been build in FIPS only mode, you can include the header config/tink_fips.h
which provides the constant kUseOnlyFips
.