On 04/22/2011 01:09 AM, kiran s wrote: > Hi Team, > > We are using OpenSSL 1.0.0d for our application using 3DES. My > application has a constraint that it should only use FIPS approved > alogithms. > > Yesterday we come across another openssl version which is > openssl-fips-1.2.2. > > Please clarify us what is the difference between openssl-fips-1.2.2 > and OpenSSL 1.0.0d ?
The former is the source for the OpenSSL FIPS Object Module v1.2.2, a FIPS 140-2 validated cryptographic module (see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1051). Read the User Guide (http://www.openssl.org/docs/fips/UserGuide.pdf) carefully for instructions on using that module *and* the "FIPS capable" OpenSSL. The latter is a recent version of the OpenSSL library and toolkit, an entirely different beast. It is not usable with the OpenSSL FIPS Object Module v1.2.2. > If we are using the FIPS approved 3DES algorithm only in our > application, is it fine to continue using 1.0.0d version alone ? Not if you want to claim FIPS 140-2 *validation*. Pay close attention to the wording: note "use FIPS approved algorithms" is not (assuming no other context) the same thing as "use FIPS 140-2 validated cryptography". > So, should I use 1.0.0d version or do we mandatorily use > openssl-fips-1.2.2 module ? The depends on your requirements. If you just want your application to work, use 1.0.0d and forget about the FIPS validated module; it doesn't give you better cryptography, or performance, or security. If you have a mandate to use FIPS 140-2 validated cryptography then your options are very limited. There is only one currently validated open source based OpenSSL compatible cryptographic module, and that is validation #1051. It is only compatible with OpenSSL 0.9.8x, not 1.0.0x. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 [email protected]
