[openssl-users] FIPS: Which DRBG ?

xxiao8 xxiao8 at fosiao.com
Mon Mar 23 18:36:53 UTC 2015

The key issue still remains, are the validated SP800-90 DRBGs the _same_ 
as SP800-90A's DRBGs? If yes then we can probably use Openssl-FIPS with 
SP800-90A, otherwise OpenSSL-FIPS 2.0.9 probably can no longer be used 
for any new validations?


For the second question any DRBG that are approved in FIPS SP 800-90A are
approved for any application. You can chose over tha Hash, HMAC or CTR DRBG

Best regards

Q Gouchet
Le 23 mars 2015 09:38, "jonetsu" <jonetsu at teksavvy.com> a écrit :

 > Hello,
 > Following on the 'SP800-90 DRBG in OpenSSL FIPS 140 for SP800-90A?' 
 > the OpenSSL source code does not seem to mention SP 800-90A.  Only SP
 > 800-90.  So the certifications were made for SP 800-90, is that right ?
 > Also, does it depend on the application to choose which DRBG and 
 > for regular FIPS uses, does it matter which DRBG is used since they 
are all
 > approved ?
 > One more question: is there a way for us to actually know/test which one
 > id used by an application ?  I currently am using a
 > FIPS_post_set_callback() placed in FIPS_mode_set() - can this be 
useful to
 > identify which DRBG is used ?  Maybe FIPS_drbg_set_callbacks() could be
 > more useful ?
 > Regards.

More information about the openssl-users mailing list