[openssl-users] FIPS 140-2 on iOS

Sec_Aficionado secaficionado at gmail.com
Wed Apr 29 14:30:23 UTC 2015


This is an excellent explanation in plain English. Thank you!

> On Apr 28, 2015, at 4:31 PM, Steve Marquess <marquess at openssl.com> wrote:
> 
>> On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
>> Hi there,
>> 
>> Total n00b question here. I recently ran across a question on an iOS
>> forum where someone was building an app with FIPS 140-2 compliant
>> communications.
> 
> Note there really is no such thing as "FIPS 140-2 compliant" (though you
> see that terms bandied around a lot and I'm guilty of doing so myself).
> 
> The term of interest is "FISP 140-2 validated" (n.b.: that's "validated"
> not "certified").
> 
>> Now, from reading here (mailing lists) about FIPS certification, it
>> involves both the bits and the platform. So it would not be possible
>> to create an app that is compliant on a platform that hasn't been
>> certified. Is that a correct assumption? Or can I build a compliant
>> app with just certified libraries?
> 
> A Level 1 FIPS 140-2 validation (Level 1 being the most common and the
> "easiest") applies to a thing called a "cryptographic module" in the
> context of one of more "OEs" or "Operational Environments" (loosely
> speaking, "platforms"). Note at Level 1 products are not validated,
> operating systems are not validated, only "cryptographic modules" are
> validated.
> 
> Translated from FIPSspeak, for a software "module" that means a very
> specific chunk of executable code running on a specific platform
> (operating system and OS version and processor "architecture"). Move
> that same code to another platform and it is no longer validated; the
> validation is relative to the OEs or platforms.
> 
> The only valid reason to use a FIPS 140-2 validated module is that you
> must in order to sell your cryptography-using product to the USG or DoD.
> For that market you (typically, if the procurement officer is paying
> attention) have to use a validated cryptographic module on one of the
> OEs specifically listed for that module validation.
> 
> So for a software product there is no such thing as validation of the
> product independent of the platform (OE) it runs on.
> 
> A partial exception to that rule is "user affirmation" per I.G. G.5, but
> while technically a legitimate means of satisfying FISP 140-2 validation
> requirements that has limited practical value in the USG/DoD market.
> 
> Note I'm only discussing Level 1 validations here; Levels 2 and up are
> different.
> 
> -Steve M.
> 
> -- 
> Steve Marquess
> OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at opensslfoundation.com
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list