On 04/13/2015 01:30 PM, Jakob Bohm wrote: > .. >> >> With the very unique exception of the OpenSSL FIPS Object Module, there >> are no FIPS 140-2 validated cryptographic modules that can be obtained >> in source form and compiled by the end user. The fact that Red Hat (or >> whomever) has taken open source code and obtained a FIPS 140-2 >> validation of binaries generated from that code does you no good unless >> you have those specific binaries, which is to say you're a commercial >> customer paying for a commercial license from that vendor. >> >> Then, even for the OpenSSL FIPS module the validation imposes some >> pretty perverse constraints (from the usual software engineering >> perspective). You have to start with a snail-mailed CD, you have to >> build the binary module in a very special way that will conflict with >> whatever configuration management you use, etc.; you have to treat it >> differently that all the other software components of your product. FIPS >> 140-2 is the tail that wags the dog. >> >> -Steve M. > Of cause. > > One point is that if this is a delivery for someone > subject to the FIPS-only procurementrequirement > imposed on various US Government related entities, > then whatever OS theyuse, MUST (by that requirement) > have already passed this for its password handling. This is *technically* true, in the narrow sense that supposedly any OS used in DoD should be CC certified and so forth. Should not must. In practice it is very common -- at FIPS 140-2 Level 1 -- for software *products* to use FIPS 140-2 validated crypto on non-certified, non-validated operating systems. Just take a look at Table 2 in the OpenSSL FIPS Object Module Security Policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf and note that of the 101 platforms ("OEs") appearing there, most of those operating systems are neither CC certified nor have any other FIPS 140-2 validated crypto. Keep in mind that at Level 1 the validation applies to the cryptographic module, not the calling application that uses that module nor the operating system that runs it. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
