[openssl-users] FIPS 140-2 on iOS

Steve Marquess marquess at openssl.com
Tue Apr 28 20:31:41 UTC 2015 

On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
> Hi there,
> 
> Total n00b question here. I recently ran across a question on an iOS
> forum where someone was building an app with FIPS 140-2 compliant
> communications.

Note there really is no such thing as "FIPS 140-2 compliant" (though you
see that terms bandied around a lot and I'm guilty of doing so myself).

The term of interest is "FISP 140-2 validated" (n.b.: that's "validated"
not "certified").

> Now, from reading here (mailing lists) about FIPS certification, it
> involves both the bits and the platform. So it would not be possible
> to create an app that is compliant on a platform that hasn't been
> certified. Is that a correct assumption? Or can I build a compliant
> app with just certified libraries?

A Level 1 FIPS 140-2 validation (Level 1 being the most common and the
"easiest") applies to a thing called a "cryptographic module" in the
context of one of more "OEs" or "Operational Environments" (loosely
speaking, "platforms"). Note at Level 1 products are not validated,
operating systems are not validated, only "cryptographic modules" are
validated.

Translated from FIPSspeak, for a software "module" that means a very
specific chunk of executable code running on a specific platform
(operating system and OS version and processor "architecture"). Move
that same code to another platform and it is no longer validated; the
validation is relative to the OEs or platforms.

The only valid reason to use a FIPS 140-2 validated module is that you
must in order to sell your cryptography-using product to the USG or DoD.
For that market you (typically, if the procurement officer is paying
attention) have to use a validated cryptographic module on one of the
OEs specifically listed for that module validation.

So for a software product there is no such thing as validation of the
product independent of the platform (OE) it runs on.

A partial exception to that rule is "user affirmation" per I.G. G.5, but
while technically a legitimate means of satisfying FISP 140-2 validation
requirements that has limited practical value in the USG/DoD market.

Note I'm only discussing Level 1 validations here; Levels 2 and up are
different.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list