[openssl-users] FIPS: Which DRBG ?
jonetsu at teksavvy.com
Tue Mar 24 13:53:22 UTC 2015
> From: "Steve Marquess" <marquess at openssl.com>
> Date: 03/24/15 09:22
> At the time that validation was obtained the four (at the time) DRBGs
> were specified by SP800-90. That document was subsequently reissued in
> several pieces; the current SP800-90A now contains the specifications
> for the three surviving DRBGs (the fatally tainted Dual EC DRBG having
> been removed from the formal standards and also from the OpenSSL FIPS
> Object Module).
If it concerns only the removal of the Dual EC, then it should be OK, technically.
Not on paper.
> Now the code for the OpenSSL FIPS module can no longer be used as-is for
> new "private label" or copycat validations, but that's for different
> reasons and not because of the DRBGs.
I've read the User Guide bit on private label validations. In the case of a product that consists of a dedicated unit, what would be the best approach ? So far I have considered using the OpenSSL FIPS module as is, in the hope that its FIPS validation would save costs at the testing lab. Is this still feasible ?
More information about the openssl-users