On 10/21/2015 12:02 PM, jonetsu wrote: > > Hello, > > > Sorry if this is a bit beside OpenSSL per se, the idea behind this > post is to perhaps have some information form the OpenSSL experience > with FIPS validation. There was so much effort put into FIPS > compliance that it would not be far-fetched to consider that there is > also knowledge about what seems to be /protocol/ testing. > > > I would like to know what's involved in the CAVP testing of the SSH > protocol. I browsed the NIST CAVP web site, browsed some documents, > although I haven't found any satisfying, technically-oriented, > document on what has to be done if say, I have an editor opened with > the SSH source code. Not the fully gruesome details, but an overview > of how such testing works. See Appendix B of the OpenSSL FIPS User Guide: https://openssl.org/docs/fips/UserGuide-2.0.pdf The specific algorithm tests have changed quite a bit since then (constant change is part of the fun), but the general concept is the same. The algorithm testing is the easiest part of FIPS 140-2 validations. Note the CAVP only tests specific cryptographic algorithms, not cryptographic protocol suites like SSH (secsh). OpenSSH itself is just application code from the perspective of FIPS 140-2 and thus out of scope (as is OpenSSL; the OpenSSL FIPS Object Module is a separate software component carefully crafted to satisfy the peculiar restrictions and requirements of FIPS 140-2). Also note that converting stock OpenSSH to exclusive use of FIPS validated cryptographic is a non-trivial exercise. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at opensslfoundation.com marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
