[openssl-users] FIPS 140-2 key wrapping transition

[Zeke Evans]

I am trying to understand how validation #1747 is affected by the key wrapping transition.  As far as I can tell, the FIPS module does not contain a key wrapping algorithm per se but only provides approved methods that a key wrapping algorithm could use.

Does FIPS 2.0 contain approved methods in order to implement a key wrapping algorithm compliant with SP 800-38f?  Is FIPS_evp_des_ede3_cbc not sufficient?

If not, why would the absence of that push validation #1747 to the Historical list?  I am not seeing a claim the key wrapping is covered in validation #1747 or any code inside the module that implements something that is now deprecated.

Is it at all possible to implement a compliant key wrapping method in the FIPS capable code using approved methods?  I realize if this was possible it probably would have been done already.  I am just hoping to understand the issues surrounding this.

Thanks for your help!

Zeke Evans
Senior Software Engineer
Micro Focus


From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Salz, Rich via openssl-users
Sent: Friday, February 02, 2018 5:26 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] FIPS 140-2 key wrapping transition

The OpenSSL FIPS Validation #1747 is affected by the key wrapping transition and will therefore be moved to Historical at some point.

As we’ve said, FIPS will be the focus of our next feature release after 1.1.1 (TLS 1.3).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180301/c3b8fde1/attachment.html>