[openssl-users] FIPS: Which DRBG ?

Steve Marquess marquess at openssl.com
Tue Mar 24 13:20:38 UTC 2015

On 03/23/2015 02:36 PM, xxiao8 wrote:
> The key issue still remains, are the validated SP800-90 DRBGs the _same_
> as SP800-90A's DRBGs? If yes then we can probably use Openssl-FIPS with
> SP800-90A, otherwise OpenSSL-FIPS 2.0.9 probably can no longer be used
> for any new validations?

At the time that validation was obtained the four (at the time) DRBGs
were specified by SP800-90. That document was subsequently reissued in
several pieces; the current SP800-90A now contains the specifications
for the three surviving DRBGs (the fatally tainted Dual EC DRBG having
been removed from the formal standards and also from the OpenSSL FIPS
Object Module).

Now the code for the OpenSSL FIPS module can no longer be used as-is for
new "private label" or copycat validations, but that's for different
reasons and not because of the DRBGs.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list