[openssl-users] FIPS mode restrictions and DES
marquess at openssl.com
Tue Apr 14 13:29:50 UTC 2015
On 04/13/2015 01:30 PM, Jakob Bohm wrote:
>> With the very unique exception of the OpenSSL FIPS Object Module, there
>> are no FIPS 140-2 validated cryptographic modules that can be obtained
>> in source form and compiled by the end user. The fact that Red Hat (or
>> whomever) has taken open source code and obtained a FIPS 140-2
>> validation of binaries generated from that code does you no good unless
>> you have those specific binaries, which is to say you're a commercial
>> customer paying for a commercial license from that vendor.
>> Then, even for the OpenSSL FIPS module the validation imposes some
>> pretty perverse constraints (from the usual software engineering
>> perspective). You have to start with a snail-mailed CD, you have to
>> build the binary module in a very special way that will conflict with
>> whatever configuration management you use, etc.; you have to treat it
>> differently that all the other software components of your product. FIPS
>> 140-2 is the tail that wags the dog.
>> -Steve M.
> Of cause.
> One point is that if this is a delivery for someone
> subject to the FIPS-only procurementrequirement
> imposed on various US Government related entities,
> then whatever OS theyuse, MUST (by that requirement)
> have already passed this for its password handling.
This is *technically* true, in the narrow sense that supposedly any OS
used in DoD should be CC certified and so forth. Should not must.
In practice it is very common -- at FIPS 140-2 Level 1 -- for software
*products* to use FIPS 140-2 validated crypto on non-certified,
non-validated operating systems. Just take a look at Table 2 in the
OpenSSL FIPS Object Module Security Policy:
and note that of the 101 platforms ("OEs") appearing there, most of
those operating systems are neither CC certified nor have any other FIPS
140-2 validated crypto. Keep in mind that at Level 1 the validation
applies to the cryptographic module, not the calling application that
uses that module nor the operating system that runs it.
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users