[openssl-users] FIPS Non?-Approved Cryptographic Functions

Mark Minnoch mark at fips.pro
Wed Mar 14 22:17:04 UTC 2018 

> From the OpenSSL FIPS Security Policy chapter 4, it mentioned there are a
> number of non-FIPS approved algorithms/ services which are still
> implemented by the FIPS canister modules (e.g. RSA, DSA, DRDB, ECDSA etc).
>
> Just wondering why these algorithms are still implemented by FIPS
Canister.
>
> The concern is, if these algorithms could still be used under FIPS mode,
> there is risk that the applications which use the FIPS canister modules
may
> become non-FIPS compliant if these algorithms are used by mistake.

You are correct. It is possible for an application to use the OpenSSL FOM
in a non-approved way by calling a non-approved service listed in Table 4c
of the OpenSSL FOM Security Policy. I'm sure it was easier for the OpenSSL
team to make documentation changes (rather than making coding changes and
performing additional FIPS testing) to maintain the validity of the FIPS
certificate when the SP 800-131A transitions were enforced.

A coding change to the FIPS canister would require review by the FIPS
Laboratory. If any of the updates were found to be security relevant (from
a FIPS perspective), then a FIPS revalidation effort involving additional
testing would be required. As you know, there are many, many, many "Tested
Configurations" (operating systems+hardware platforms) listed for the
OpenSSL FOM certificates. A revalidation would result in a new OpenSSL FOM
FIPS certificate and all of the previously tested configurations (that
people care about) would need to be retested. Yikes.

Here is some background for those interested...
At the time of the original OpenSSL FOM validation, FIPS 140-2 allowed the
use of an ANS X9.31 RNG. Digital signature functions could be performed
using key sizes that provided an equivalent strength of 80 bits or greater.
With the transition timelines documented in SP 800-131A, FIPS modules today
must use only SP 800-90A DRBGs (for key generation) and >= 112 bits of
equivalent strength for digital signature functions (although digital
signature verification may be performed at previously allowed key sizes for
legacy purposes). The services provided by the OpenSSL FOM that do not meet
current SP 800-131A requirements are now listed as non-approved services in
Table 4c of the OpenSSL FOM Security Policy.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 mobile
https://KeyPair.us
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*New blog post: You Have Your FIPS Certificate. Now What?
<https://keypair.us/2018/03/you-have-your-fips-certificate-now-what/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180314/5b26de3a/attachment.html>

More information about the openssl-users mailing list