On 04/28/2015 03:44 PM, Sec_Aficionado wrote: > Hi there, > > Total n00b question here. I recently ran across a question on an iOS > forum where someone was building an app with FIPS 140-2 compliant > communications. Note there really is no such thing as "FIPS 140-2 compliant" (though you see that terms bandied around a lot and I'm guilty of doing so myself). The term of interest is "FISP 140-2 validated" (n.b.: that's "validated" not "certified"). > Now, from reading here (mailing lists) about FIPS certification, it > involves both the bits and the platform. So it would not be possible > to create an app that is compliant on a platform that hasn't been > certified. Is that a correct assumption? Or can I build a compliant > app with just certified libraries? A Level 1 FIPS 140-2 validation (Level 1 being the most common and the "easiest") applies to a thing called a "cryptographic module" in the context of one of more "OEs" or "Operational Environments" (loosely speaking, "platforms"). Note at Level 1 products are not validated, operating systems are not validated, only "cryptographic modules" are validated. Translated from FIPSspeak, for a software "module" that means a very specific chunk of executable code running on a specific platform (operating system and OS version and processor "architecture"). Move that same code to another platform and it is no longer validated; the validation is relative to the OEs or platforms. The only valid reason to use a FIPS 140-2 validated module is that you must in order to sell your cryptography-using product to the USG or DoD. For that market you (typically, if the procurement officer is paying attention) have to use a validated cryptographic module on one of the OEs specifically listed for that module validation. So for a software product there is no such thing as validation of the product independent of the platform (OE) it runs on. A partial exception to that rule is "user affirmation" per I.G. G.5, but while technically a legitimate means of satisfying FISP 140-2 validation requirements that has limited practical value in the USG/DoD market. Note I'm only discussing Level 1 validations here; Levels 2 and up are different. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
