[openssl-users] SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?

Steve Marquess marquess at openssl.com
Sun Mar 22 19:50:23 UTC 2015

On 03/21/2015 02:48 PM, xxiao8 wrote:
> At the moment OpenSSL FIPS validation supports ANSI X9.31 with AES128
> for RNG, however it will be outdated in 2015.
> Another alternative RNG in OpenSSL FIPS is SP800-90 DRBG, however the
> new requirement is to use DRBG per SP800-90A.
> Are the DRBGs in SP800-90/OpenSSL-FIPS-2.0.9 the same as what SP800-90A
> requires? Otherwise how can OpenSSL 2.0 FIPS be used in any new
> validations?

The OpenSSL FIPS Object Module implements all three extant DRBGs (Dual
EC DRBG has been removed). The DRBGs are noted in the Security Policy


which is worth referencing for any "does the OpenSSL FIPS Object Module
have X" questions.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list