[openssl-users] CAVP protocol testing - what does it really consist of ?
Steve Marquess
marquess at openssl.com
Wed Oct 21 18:18:02 UTC 2015
On 10/21/2015 12:02 PM, jonetsu wrote:
>
> Hello,
>
>
> Sorry if this is a bit beside OpenSSL per se, the idea behind this
> post is to perhaps have some information form the OpenSSL experience
> with FIPS validation. There was so much effort put into FIPS
> compliance that it would not be far-fetched to consider that there is
> also knowledge about what seems to be /protocol/ testing.
>
>
> I would like to know what's involved in the CAVP testing of the SSH
> protocol. I browsed the NIST CAVP web site, browsed some documents,
> although I haven't found any satisfying, technically-oriented,
> document on what has to be done if say, I have an editor opened with
> the SSH source code. Not the fully gruesome details, but an overview
> of how such testing works.
See Appendix B of the OpenSSL FIPS User Guide:
https://openssl.org/docs/fips/UserGuide-2.0.pdf
The specific algorithm tests have changed quite a bit since then
(constant change is part of the fun), but the general concept is the
same. The algorithm testing is the easiest part of FIPS 140-2 validations.
Note the CAVP only tests specific cryptographic algorithms, not
cryptographic protocol suites like SSH (secsh). OpenSSH itself is just
application code from the perspective of FIPS 140-2 and thus out of
scope (as is OpenSSL; the OpenSSL FIPS Object Module is a separate
software component carefully crafted to satisfy the peculiar
restrictions and requirements of FIPS 140-2).
Also note that converting stock OpenSSH to exclusive use of FIPS
validated cryptographic is a non-trivial exercise.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
More information about the openssl-users
mailing list