I understand the requirements of FIPS validation. The product is designed for Federal market so it must has FIPS validation.The code uses only PRNG and AES, it doesn't use any of the other algorithms, that were my question came from. My problem is really not at the start up of the system, there I can wait a minute for the tests to complete. My problem is in cases were the DSP crashes (and unfortunately it happens once in a while). When a crash happens we have a recovery mechanism that loads the DSP again and there I have a problem to wait a minute.
Avisar On Mon, Dec 22, 2008 at 12:08 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > FIPS 140-2 validation is mandated for encryption modules used by the > US federal government when dealing with sensitive-confidential (but > not classified) information. I believe it's also mandated for the > Canada federal government, as well. > > This mandate means that even if it takes 10 minutes to initialize, > they are *required* to deal with it, even if they really could use a > faster, stripped-down version. This also means that if you're in a > situation that doesn't actually require FIPS validated cryptographic > modules, you can simply use FIPS-compatible (but not FIPS-validated) > algorithms for interoperability with them. Most notably, this means > not using MD5 at all (except in conjunction with one of the SHA > algorithms -- there's a situation in TLS where the keying material is > produced by MD5+SHA1, and that has been held to be okay in that > situation because the output is still not predictable and still not > subject to an easy chosen-birthday attack). > > If you decide to try to get another FIPS validation, you should expect > an interminable timeframe (not merely 6 months, but possibly several > years) and a HUGE financial outlay (and I mean "in the orders of tens > if not hundreds of thousands of US dollars"), and if you're not > already an expert in navigating the system I would recommend avoiding > it if at all possible. Steve Marquess is the one who could most > likely explain the entire process, and if you look in the mailing list > archives you can see several messages that he and John Weathersby > (both of the Open Source Software Institute) have posted about the > process. > > -Kyle H > > On Sun, Dec 21, 2008 at 11:26 PM, a_l t <avisar.li...@gmail.com> wrote: > > If I want to validate a stripped down module (let's say for simplicity > just > > without the unwanted self tests), is there a fast way to do it, or I > should > > expect a 6 months process? > > I also didn't quite understood what you meant in the last sentence: > "Where > > FIPS validation is mandated operations considerations take second place." > > Thanks, > > Avisar > > > > On Mon, Dec 22, 2008 at 1:46 AM, Steve Marquess < > marqu...@oss-institute.org> > > wrote: > >> > >> a_l t wrote: > >>> > >>> I'm running it on TI DSP (C6455) and it takes around 1 minute. > >>> > >>> On Sun, Dec 21, 2008 at 10:28 PM, Victor Duchovni > >>> <victor.ducho...@morganstanley.com > >>> <mailto:victor.ducho...@morganstanley.com>> wrote: > >>> > >>> On Sun, Dec 21, 2008 at 05:28:14PM +0200, a_l t wrote: > >>> > >>> > I'm using the FIPS approved OpenSSL. In the initialization it runs > >>> > several self tests which take quite a long time. I use only several > >>> > algorithms from the OpenSSL, is there a way to remove the self > >>> > tests of the algorithms that I don't use (like DSA) without losing > >>> > the FIPS certification. > >>> > >>> How long do the self-tests take? > >> > >> Ouch. If you must enable FIPS mode you don't have many options. Find > >> some other faster product, if there is any; use a validated hardware > device; > >> hack and validate a stripped down derivative of the OpenSSL FIPS Object > >> Module. Where FIPS validation is mandated operations considerations > take > >> second place. > >> > >> -Steve M. > >> > >> -- > >> Steve Marquess > >> Open Source Software institute > >> marqu...@oss-institute.org > >> > >> ______________________________________________________________________ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
