FIPS: Which DRBG ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/24/2015 01:27 PM, jonetsu wrote:
> 
> 
>> From: "Steve Marquess" <marquess at openssl.com> Date: 03/24/15 12:38
>> 
> 
> 
>> No, the OpenSSL FIPS module 2.0 code is no longer suitable (as of
>> early 2014) for use as-is in doing copycat validations. Some
>> non-trivial code hacks will be necessary.
> 
>> We'll do a new open source based validation to succeed the 2.0
>> FIPS module (#1747 validation) at the first opportunity, but that
>> opportunity has not yet presented itself.
> 
> I still do not know that much about the validation in practical
> terms. If our units go through validation, can this benefit OpenSSL
> ?

Not in the tiniest, unless you completely open source the entire thing
as we did (specifically in a validation that includes the
build-from-source part).

A FIPS 140-2 validation is like magical pixie dust in that you and I can
each take exactly the same source code and each build a binary FIPS
module from it in exactly the same way, for exactly the same platform,
and your module will be "validated" and mine won't (or vice-versa,
depending on the pixe dust).

> 
> Also, to go back to the SP 800-90 vs. SP 800-90A regarding the DRBGs,
> do you know how would the OpenSSL SP 800-90 validation fare in a FIPS
> testing lab since the Dual EC was removed and the other three were
> not touched ?

We "revalidate" the DRBGs every time we do a new "change letter"
platform addition, which is frequently.

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux