[openssl-users] FIPS 140-2 library

Marcos Bontempo marcosbontempo at hotmail.com
Sat Dec 19 14:23:21 UTC 2015


Thanks for the help! I really have misconceptions about FIPS 140-2. I was instructed to compile and install this module: http://openssl.com/fips/. But I cannot understand how can I use it. Can you explain its functionalities? Sorry for the dummie questions.

> To: openssl-users at openssl.org
> From: marquess at openssl.com
> Date: Sat, 19 Dec 2015 08:56:22 -0500
> Subject: Re: [openssl-users] FIPS 140-2 library
> 
> On 12/19/2015 08:28 AM, Marcos Bontempo wrote:
> > I want to exclude the private key if there is an attempt to violation.
> > Has FIPS this functionality?
> 
> I think you have some misconceptions about what FIPS 140-2 is and isn't.
> It is "magical pixie dust", not a technique or some specific type of
> functionality.
> 
> FIPS 140-2 validation is a paper intensive formal process by which
> specific implementations (software and/or devices) are given an official
> government blessing (the "pixie dust").
> 
> FIPS 140-2 validated products are *not* more secure or better, by any
> real-world metric, than equivalent non-validated products. In fact they
> are rather manifestly *less* secure, in the sense of resistance to
> malicious or accidental compromise. You can't do anything with FIPS
> 140-2 validated products you can do without, except for the entirely
> non-technical objective of satisfying formal policy requirements.
> 
> So if you aren't forced to use validated products, just ask "how can I
> do X securely" and leave FIPS 140-2 out of it. If you do need validated
> products, then that requirement drives and constrains your choices and
> real-world security is a secondary consideration, instead you must ask
> "is there a validated product available that will allow X"? You can't
> code your way to FIPS 140-2 validated status, you have to find and use
> something that is already validated.
> 
> -Steve M.
> 
> -- 
> Steve Marquess
> OpenSSL Software Foundation
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151219/5f3b562f/attachment.html>


More information about the openssl-users mailing list