On 03/07/2016 07:58 PM, James M Takahashi wrote: > _https://www.openssl.org/docs/fipsnotes.html_ mentions the following: > > As a result of the POST performance issue we revisited the KAT (Known > Answer Test) requirements in the POST process that were burning up most > of those cycle. In consultation with a CMVP test lab we determined that > it should be possible to substantially reduce that performance penalty > in a new validation. > > Can you please elaborate a bit on what this means? > > Thanks in advance for any light you can shed. The answer to that mostly concerns the historical origins of the OpenSSL FIPS Object Module. The text you are quoting dates from the time we were beginning work on the most recent module (which is now confusingly covered by three validations, #1747, #2398, #2473). As the only source code based module -- one distributed in source code form -- and available under a no-cost open source license no less, these validations have been subjected to an extraordinary amount of scrutiny. Many of the FIPS 140-2 requirements are less than crystal clear, at least from the outsider perspective of the software engineer. So in coding the initial versions of the OpenSSL FIPS module we tried to be conservative in satisfying the POST requirements as we understood them. For instance, we checked multiple variations of different algorithms for the KATs. The resulting performance hit was substantial on low powered hardware; as bad as tens of seconds for some embedded systems. So for the #1747 validation we took a close look, in consultation with the accredited test lab, at what we could do to minimize that performance penalty. The conclusion was that we could safely streamline or eliminate many of the KATs. That conclusion was confirmed by the CMVP when they approved the #1747 validation[1]. The POST performance penalty for the current OpenSSL FIPS module is now tolerably low on all but the most severely underpowered hardware. Note that the POST is also optional, in that an application that is using the "FIPS capable" OpenSSL (OpenSSL proper built with the "fips" buildtime option in the presence of a FIPS module) incurs no POST performance penalty at all until FIPS mode is enabled by the calling application via FIPS_mode_set(). However, the requirements were changed after the #1747 (et. al.) validation(s) were awarded (I.G. 9.10) so that new modules are now forced to execute the POST unconditionally, even if FIPS mode isn't desired. It's my understanding that the upcoming FIPS 140-4 again permits a conditional POST, though. -Steve M. [1] Note it can be difficult to get specific answers to hypothetical questions from the CMVP. Test labs may say "well, we're not sure", or different labs may give diametrically different answers. Sometimes the best way to answer such questions is to submit a formal validation action to elicit a definitive response. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
