[openssl-users] FIPS mode restrictions and DES

Steve Marquess marquess at openssl.com
Tue Apr 14 13:49:02 UTC 2015

On 04/14/2015 09:42 AM, jonetsu wrote:
>> From: "Steve Marquess" <marquess at openssl.com> Date: 04/14/15 09:31
>> and note that of the 101 platforms ("OEs") appearing there, most
>> of those operating systems are neither CC certified nor have any
>> other FIPS 140-2 validated crypto. Keep in mind that at Level 1 the
>> validation applies to the cryptographic module, not the calling
>> application that uses that module nor the operating system that
>> runs it.
> I came across a Red Hat Security Policy document that clearly puts
> the XFRM out of the Security Policy domain.  See section 1.1.2, page
> 8, in:
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1386.pdf
>  This blurs the concept of FIPS validation.  Looks more and more that
> the validation will only care about what is being declared as going
> for validation.  In this case (policy might have changed since 2010)
> they simply say that no, we do not declare the crypto done via XFRM
> as part of the Security Policy.  And the FIPS lab says, OK, fine.
> Hmmm....

No, it doesn't blur anything. That is a Level 1 validation. At Level 1
only the "cryptographic module" is within scope of the FIPS 140-2
validation. The "cryptographic module" is a concept that is rather
precisely defined in that context. You often hear the term "boundary" in
reference to cryptographic modules.

The operating system, and any crypto it may contain, is out of scope ==
outside the boundary. The calling application(s), and any other crypto
it may contain, is out of scope. Any other applications residing on the
same system, and any crypto they may contain, are out of scope.

The Level 1 validation covers *only* the specific "cryptographic module".

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list