[openssl-users] FIPS Performance Question

Steve Marquess marquess at openssl.com
Tue Mar 8 14:16:50 UTC 2016

On 03/07/2016 07:58 PM, James M Takahashi wrote:
> _https://www.openssl.org/docs/fipsnotes.html_ mentions the following:
> As a result of the POST performance issue we revisited the KAT (Known
> Answer Test) requirements in the POST process that were burning up most
> of those cycle. In consultation with a CMVP test lab we determined that
> it should be possible to substantially reduce that performance penalty
> in a new validation.
> Can you please elaborate a bit on what this means?
> Thanks in advance for any light you can shed.

The answer to that mostly concerns the historical origins of the OpenSSL
FIPS Object Module. The text you are quoting dates from the time we were
beginning work on the most recent module (which is now confusingly
covered by three validations, #1747, #2398, #2473).

As the only source code based module -- one distributed in source code
form -- and available under a no-cost open source license no less, these
validations have been subjected to an extraordinary amount of scrutiny.

Many of the FIPS 140-2 requirements are less than crystal clear, at
least from the outsider perspective of the software engineer. So in
coding the initial versions of the OpenSSL FIPS module we tried to be
conservative in satisfying the POST requirements as we understood them.
For instance, we checked multiple variations of different algorithms for
the KATs.

The resulting performance hit was substantial on low powered hardware;
as bad as tens of seconds for some embedded systems. So for the #1747
validation we took a close look, in consultation with the accredited
test lab, at what we could do to minimize that performance penalty. The
conclusion was that we could safely streamline or eliminate many of the
KATs. That conclusion was confirmed by the CMVP when they approved the
#1747 validation[1].

The POST performance penalty for the current OpenSSL FIPS module is now
tolerably low on all but the most severely underpowered hardware.

Note that the POST is also optional, in that an application that is
using the "FIPS capable" OpenSSL (OpenSSL proper built with the "fips"
buildtime option in the presence of a FIPS module) incurs no POST
performance penalty at all until FIPS mode is enabled by the calling
application via FIPS_mode_set().

However, the requirements were changed after the #1747 (et. al.)
validation(s) were awarded (I.G. 9.10) so that new modules are now
forced to execute the POST unconditionally, even if FIPS mode isn't
desired. It's my understanding that the upcoming FIPS 140-4 again
permits a conditional POST, though.

-Steve M.

[1] Note it can be difficult to get specific answers to hypothetical
questions from the CMVP. Test labs may say "well, we're not sure", or
different labs may give diametrically different answers. Sometimes the
best way to answer such questions is to submit a formal validation
action to elicit a definitive response.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list