[openssl-users] FIPS 140-2 library

Steve Marquess marquess at openssl.com
Sat Dec 19 13:56:22 UTC 2015

On 12/19/2015 08:28 AM, Marcos Bontempo wrote:
> I want to exclude the private key if there is an attempt to violation.
> Has FIPS this functionality?

I think you have some misconceptions about what FIPS 140-2 is and isn't.
It is "magical pixie dust", not a technique or some specific type of

FIPS 140-2 validation is a paper intensive formal process by which
specific implementations (software and/or devices) are given an official
government blessing (the "pixie dust").

FIPS 140-2 validated products are *not* more secure or better, by any
real-world metric, than equivalent non-validated products. In fact they
are rather manifestly *less* secure, in the sense of resistance to
malicious or accidental compromise. You can't do anything with FIPS
140-2 validated products you can do without, except for the entirely
non-technical objective of satisfying formal policy requirements.

So if you aren't forced to use validated products, just ask "how can I
do X securely" and leave FIPS 140-2 out of it. If you do need validated
products, then that requirement drives and constrains your choices and
real-world security is a secondary consideration, instead you must ask
"is there a validated product available that will allow X"? You can't
code your way to FIPS 140-2 validated status, you have to find and use
something that is already validated.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list