[openssl-users] FIPS mode restrictions and DES

jonetsu jonetsu at teksavvy.com
Tue Apr 14 13:42:17 UTC 2015



> From: "Steve Marquess" <marquess at openssl.com> 
> Date: 04/14/15 09:31 

> and note that of the 101 platforms ("OEs") appearing there, most of
> those operating systems are neither CC certified nor have any other FIPS
> 140-2 validated crypto. Keep in mind that at Level 1 the validation
> applies to the cryptographic module, not the calling application that
> uses that module nor the operating system that runs it.

I came across a Red Hat Security Policy document that clearly puts the XFRM out of the Security Policy domain.  See section 1.1.2, page 8, in:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf

This blurs the concept of FIPS validation.  Looks more and more that the validation will only care about what is being declared as going for validation.  In this case (policy might have changed since 2010) they simply say that no, we do not declare the crypto done via XFRM as part of the Security Policy.  And the FIPS lab says, OK, fine.  Hmmm....

Regards.





More information about the openssl-users mailing list