[openssl-users] FIPS: Which DRBG ?

jonetsu jonetsu at teksavvy.com
Tue Mar 24 13:53:22 UTC 2015

> From: "Steve Marquess" <marquess at openssl.com> 
> Date: 03/24/15 09:22 

> At the time that validation was obtained the four (at the time) DRBGs
> were specified by SP800-90. That document was subsequently reissued in
> several pieces; the current SP800-90A now contains the specifications
> for the three surviving DRBGs (the fatally tainted Dual EC DRBG having
> been removed from the formal standards and also from the OpenSSL FIPS
> Object Module).

If it concerns only the removal of the Dual EC, then it should be OK, technically.   
Not on paper.
> Now the code for the OpenSSL FIPS module can no longer be used as-is for
> new "private label" or copycat validations, but that's for different
> reasons and not because of the DRBGs.

I've read the User Guide bit on private label validations.  In the case of a product that consists of a dedicated unit, what would be the best approach ?  So far I have considered using the OpenSSL FIPS module as is, in the hope that its FIPS validation would save costs at the testing lab.  Is this still feasible ?


More information about the openssl-users mailing list