Re: Can I still use OpenSSL FIPS v2.0 (#1747) for FIPS 140-2 certified new products?

Sun, 17 Aug 2014 05:02:34 -0700 

On 08/15/2014 01:10 PM, xxiao8 wrote:
> I have read various info regarding OpenSSL and FIPS 140-2, however I
> still have this very basic question:
> 
> For a new product, can I still use OpenSSL FIPS v2.0(#1747, Policy
> 2.0.7) to get FIPS 140-2 certification these days(i.e. after I.G
> 9.5/9.10)? My platform is Linux 3.x/ARMv7/OpenWRT and I plan to use
> OpenSSL FIPS v2.0 #1747 as a static module(unchanged) so my code can use
> it for crypto operations.

The openssl-users list would be more appropriate for this query.

BTW there is no such thing as "FIPS 140-2 certification", you mean "FIPS
140-2 validation" which is a very specific formal process.

The #1747 validation remains in effect, so if you use that module as-is
in full compliance with the Security Policy then you're covered.

If you're trying to do a copycat ("private label") validation of your
own using that module source code, good luck. You will have to deal with
a number of new requirements that have been introduced since the #1747
validation was obtained, among the I.G. 9.10, SP800-131A, and FIPS
146-4. The "FIPS capable" OpenSSL will need non-trivial modifications as
well to match. All together that adds up to a pretty significant hit in
cost and time which is why we've not done any private label validations
in 2014 yet.

You mention a specific platform that is not included as one of the
formally tested platforms ("Operational Environments") for the #1747
validation. It could be that you want to use the #1747 validation as-is
and just want to add an appropriate Operational Environment to that
validation. That is possible and in fact that's how the #1747 validation
came to have so many platforms (we're working on the 101st platform
now). It's not free though; figure about US$15K which is either a
bargain (for commercial vendors relative to any alternatives) or cost
prohibitive (for the small business).

-Steve M.

-- 
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[email protected]
[email protected]
gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]

Reply via email to