Re: FIPS 1.2 Security Policy issues

Wed, 26 Nov 2008 07:15:39 -0800 

Thomas J. Hruska wrote:
According to the FIPS 1.2 Security Policy, Appendix A, Platform 8 cannot be built as FIPS compliant because 'x84-64 asm' is a non-existent platform. There is no such thing as x84. It should say 'x86-64 asm'. Validation, from what I understand, only covers those platforms listed. Strictly-speaking, x86-64 asm is not able to be built as FIPS-compliant since it is not included in the list (despite supposedly being a tested platform). 


A comment on this statement: a validated *can* be generated from 
platforms not specifically listed (though generation of a validated 
module may not be possible on any such specific platform).  According to 
the Implementation Guidance section G.5 a module may be "vendor 
affirmed" as validated if it is "merely" recompiled on a new platform. 
The CMVP provided the following statement which appeared in the first 
Security Policy (certificate #733):



"The OpenSSL FIPS Object Module, when generated from the identical 
unmodified source code, is "Vendor Affirmed" to be FIPS 1402 compliant 
when running on other supported computer systems provided the conditions 
described in IG G.5 (Reference 3), are met. On any platform the Module
generated from the Module source code (the source files identified in 
Appendix B) is not validated if that source code is modified in any way."



Following extensive consultation with the test lab we concluded that the 
typical use of C macros does not constitute source code "modification". 
 However, runtime substitution of assembler code for C code, as can 
occur with the OpenSSL build, is not "mere" recompilation.  Hence the 
specific inclusion of the assembler code in the validation testing.  Due 
to the relevance of word size to cryptographic operations we also 
elected to cover both 32/64 bit and big/little endian architectures. 
However, a plain C build ("no-asm") on *any* platform where the build 
instructions in the Security Policy are faithfully followed will result 
in a validated module per the G.5 vendor affirmation, regardless of 
whether that platform was explicitly included in the validation testing.


-Steve M.

--
Steve Marquess
Open Source Software Institute
[EMAIL PROTECTED]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to