> On Jul 27, 2016, at 8:18 PM, pratyush parimal <pratyush.pari...@gmail.com> > wrote: > > Hi all, > > I work on a consumer application which is striving to be fips-140-2 compliant. > > I'm using OpenSSL as recommended in the fips guide by invoking > fips_mode_set(). However, in certain parts of the same application, I'm using > my own non-OpenSSL random number generator to generate salts for hashing > passwords for the app user accounts(I'm not using RAND_bytes). > > Does anyone know if using my custom random number generator in this way > violates the app's fips compliance?
That’s almost certainly a violation. There might be a few edge cases where it is not, but they’re very unlikely. To determine if you’re even close to such cases, ask: Does the RNG I’m using come from another FIPS 140 validated cryptographic module? Am I using that module in approved mode? Am I using that module according to its security policy? Do I have explicit permission from the customers’ auditors to mix two modules in my product? If the answer to all of those questions is yes, you _might_ be OK, for now. A few auditors (in the past, anyway) considered it OK to mix modules, while other auditors say no. My own reading of FIPS 140-2 is that you may not mix modules. But I’m not an auditor or a lawyer. :) The other question to ask is: can I clearly explain that the use of the non-approved RNG is for non-cryptographic purposes, and easily justify that explanation? Given what you said about why you’re using it, I’m pretty sure the answer to that one is “no”. :) And even if you could, that’s still a very weak argument to be making to your customers’ auditors, who may decide it’s still not allowed even if they agree it’s for non-cryptographic purposes. > Am I really supposed to be using > RAND_bytes for compliance reasons? Yes. > Thanks in advance! > Pratyush. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
