[openssl-users] Attack of the FIPS 140-2 Clones

Steve Marquess marquess at openssl.com
Tue May 10 14:47:13 UTC 2016


If you neither know nor care what FIPS 140-2 is, count yourself lucky
and move on (even if you're a Star Wars fan; this isn't nearly as
entertaining).

The "Alternative Scenario 1A/1B" aka "clone" aka "rebrand" validations
have been an endless source of confusion, even for the accredited test
labs and the CMVP. The one bright spot is that these clone validations
indirectly expand the number of formally tested platforms ("Operational
Environments" in FIPS-speak) available to all OpenSSL FIPS Object Module
users.

I've added a new section, 2.10, to the OpenSSL FIPS User Guide that
summarizes this set of platforms:

  https://www.openssl.org/docs/fips/UserGuide-2.0.pdf

As of today there are nine such clone validations, in addition to the
ancestral #1747 validation all are derived from. Collectively they cover
178 unique platforms which are listed in alphabetical order in table 2.10b.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list