On 03/21/2015 02:48 PM, xxiao8 wrote: > At the moment OpenSSL FIPS validation supports ANSI X9.31 with AES128 > for RNG, however it will be outdated in 2015. > > Another alternative RNG in OpenSSL FIPS is SP800-90 DRBG, however the > new requirement is to use DRBG per SP800-90A. > > Are the DRBGs in SP800-90/OpenSSL-FIPS-2.0.9 the same as what SP800-90A > requires? Otherwise how can OpenSSL 2.0 FIPS be used in any new > validations? The OpenSSL FIPS Object Module implements all three extant DRBGs (Dual EC DRBG has been removed). The DRBGs are noted in the Security Policy document: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf which is worth referencing for any "does the OpenSSL FIPS Object Module have X" questions. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
