Ryan, You're right about the entire package needing to be FIPS 140-2 certified. Also, the other key component here is what algorithms/components the system is FIPS 140-2 certified for, such as 3DES, TLS, SSL, RNG, or AES.
However, if you're attempting to do C&A on a system, keep in mind that the other important issue is interfacing components. What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? It's a nice check box for most auditors, but it doesn't make your entire system more secure, and never will :). Mitch -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan McBride Sent: Wednesday, March 12, 2008 10:04 PM To: misc@openbsd.org Subject: Re: FIPS 140-2 On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: > On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: > > > Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where > > applicable? > > No. Furthermore, there are no "FIPS 140-2 certified bits" - it is an > entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
