[openssl-users] FIPS 140-2 X9.31 RNG transition partially done

Steve Marquess marquess at openssl.com
Tue Jan 26 14:07:06 UTC 2016


If you don't know or care what FIPS 140-2 is then bail out now. Here be
dragons.

The CMVP has approved the mandated "X9.31 RNG transition"[1] update for
two-thirds of the OpenSSL FIPS Object Module v2.0. That "transition"
consists of editorial changes to the Security Policy document(s) and did
not involve any changes to the OpenSSL FIPS module software.

That module is, for perversely confusing reasons[2], covered by three
nominally separate but very similar validations, #1747, #2398, and
#2473. Those three validations collectively cover all the formally
tested platforms for this OpenSSL FIPS module.

As of yesterday our submissions for the #1747 and #2473 validations were
approved and posted on the NIST CMVP web site. Those validations will
thus presumably be spared the promised fate of de-listing to "not to be
used" status on January 31.

The documentation for the remaining validation, #2398, was submitted at
the same time but is still pending. That delay will only be significant
for users of the OpenSSL FIPS module on platforms listed only for the
#2398 module.

-Steve M.

[1] http://csrc.nist.gov/groups/STM/cmvp/notices.html, see the section
labeled "X9.31 RNG transition, December 31, 2015".

[2] Details for masochists only: http://openssl.com/fips/ransom.html

-- 
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list