[openssl-users] CAVP protocol testing - what does it really consist of ?

jonetsu jonetsu at teksavvy.com
Wed Oct 21 19:22:51 UTC 2015

> From: "Steve Marquess" <marquess at openssl.com> 
> Date: 10/21/15 14:18 
> See Appendix B of the OpenSSL FIPS User Guide:

>   https://openssl.org/docs/fips/UserGuide-2.0.pdf


> The specific algorithm tests have changed quite a bit since then
> (constant change is part of the fun), but the general concept is the
> same. The algorithm testing is the easiest part of FIPS 140-2 validations.

What would you consider being the difficult parts ?

> Note the CAVP only tests specific cryptographic algorithms, not
> cryptographic protocol suites like SSH (secsh). OpenSSH itself is just
> application code from the perspective of FIPS 140-2 and thus out of
> scope ...

It has to do with NDcPP 1.0 I think.  Key agreement schemes and key derivation functions 
for several security-related communications protocols (SNMP, TLS, SSH, etc.) 
must now be tested as part of the algorithm test process.  

More information about the openssl-users mailing list