[openssl-users] FIPS: Which DRBG ?

jonetsu jonetsu at teksavvy.com
Tue Mar 24 17:27:55 UTC 2015

> From: "Steve Marquess" <marquess at openssl.com> 
> Date: 03/24/15 12:38 

> No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of early
> 2014) for use as-is in doing copycat validations. Some non-trivial code
> hacks will be necessary.
> We'll do a new open source based validation to succeed the 2.0 FIPS
> module (#1747 validation) at the first opportunity, but that opportunity
> has not yet presented itself.

I still do not know that much about the validation in practical terms. If our units go through validation, can this benefit OpenSSL ?

Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs, do you know how would the OpenSSL SP 800-90 validation fare in a FIPS testing lab since the Dual EC was removed and the other three were not touched ?


More information about the openssl-users mailing list