On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:I realize that, FIPS 140 addresses crypto modules with cryptographic algorithms, not protocols like SSL.
On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode?
It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification.
SSL's not certifiable, period.
Although in "cryptomodule" terms "SSL's not certifiable" is not necessarily a correct claim. You can certainly certify one big module including cryptography, including the entire SSL protocol for FIPS 140. That would be somewhat bizzare, though.
But, that's not my point. The questions was, how would one claim that he is using FIPS certified cryptography *under* OpenSSL, if the crypto layer does not have a FIPS certified key management (read RSA) algorithm?
TLS has been held to be certifiable, and products using TLS have been certified. However, it's necessary to disable any use of MD5 in the certificate validation path. When I had a version of OpenSSL certified for use in a product at my former employer, I had to whack the OpenSSL source to throw an error if in FIPS mode and any part of the certificate
validation path called the MD5 functions. Perhaps this has been done in the version currently undergoing certification. You'll also need
Yeah, been there. I think my current company (Novell) suggested that, not sure what happened.
Well, that is sort of my point.certificates that use SHA1 as the signing algorithm, which some public CAs cannot provide (though most can, and will if the certificate request itself uses SHA1 as the signing algorithm).
SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not a certified algorithm in OpenSSL's FIPS 140 certification, sha1-with-rsa isn't, either.
Perhaps, my understanding of the OpenSSL FIPS 140 certification is not entirely accurate.
Yes, but I am addressing signature generation and verification, and more importantly key exchange: encrypting the PMS and such.The use of MD5 in the TLS protocol itself is okay, because it is always used in combination with SHA1 in the PRF. We got explicit guidance from NIST on this issue.
- Tolga
Thor
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
