[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-dev
Subject: RE: FIPS 140-2 certification
From: "Chris Brook" <cbrook () v-one ! com>
Date: 2002-09-30 13:00:24
[Download RAW message or body]
We have got FIPS 140-1 certification using the OpenSSL crypto library and I
believe there are other VPN vendors who have done this. A lot of it is
documentation. On the code side, you must use only approved encryption and
hash algorithms: 3DES (DES) and SHA-1 (not MD5). AES obviously has been
added for FIPS 140-2. Random number seeding must use ANSII X9.17; we have
added this outside the crypto library, I think our only addition. There are
some procedural/self-checking requirements: all modules inside the "crypto
boundary" (you define that) must run a self-check code integrity test at
startup (typically running DES decryption to get a checksum and comparing
that to a known checksum that goes with the release), and a known answer
test at startup on all crypto algorithms to verify that they are working OK.
Hope this helps. The cost in the US for Level 1 (software only)
certification testing is about $50,000.
Chris Brook
-----Original Message-----
From: owner-openssl-dev@openssl.org
[mailto:owner-openssl-dev@openssl.org]On Behalf Of Ben Laurie
Sent: Saturday, September 28, 2002 7:33 AM
To: openssl-dev@openssl.org
Subject: Re: FIPS 140-2 certification
Nathan Bardsley wrote:
> Hello everyone!
>
> I work for a company that uses OpenSSH/OpenSSL to remotely support
> systems we've sold. Since some of our clients are US Dept. of Defense
> hospitals, our access to these servers needs to comply with a whole
> range of requirements and standards. At this point it's looking like
> the SSH daemon needs to be FIPS 140-2 compliant, and the only package
> that is certified is F-Secure.
>
> The other option is for CliniComp to sponser getting OpenSSH/OpenSSL
> through the certification process, and that's what I'm exploring.
>
> I'd really appreciate knowing what the core developers think about this,
> and how willing they would be to assisting in the process. I know there
> will need to be a fair amount of documentation, and there is no
> subsitute for first-hand knowledge. Also, it seems pretty clear that at
> least some code changes will be needed including self-tests, a new prng,
> and work in the key generation & validation modules.
>
> While we (CliniComp) do have some resources including technical writers
> and programmers, we certainly do not have the expertise in cryptography
> to just do it all ourselves. And if this does happen, part of the point
> would be for the necessary changes to be rolled back into the standard
> package.
>
> Please understand that right now I'm just exploring possibilities, but
> the other option for us is to spend a lot of money on F-Secure licenses.
>
> I would very much appreciate hearing your thoughts and from anyone else
> interested in making this happen.
I'm interested, and would certainly support it. Of course, any changes
made would have to fit in with our general view of the world, but unless
FIPS 140-2 is completely broken I don't see why that would be a problem.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic