On Sun, Feb 22, 2009 at 7:56 AM, smitha daggubati <smithad...@gmail.com> wrote: > Thanks David and kyle for your time. > Kyle, > "though current practice includes "procurement", not necessarily > "implementation" > I did not understand the above statement? Can you elaborate.. > > thanks > Srinivas
In order for the US Federal government to purchase any system which is to hold confidential data (including private information such as names/addresses/social security numbers/etc), that system *must* (by law and regulation) include cryptography which is FIPS 140-1 or FIPS 140-2 validated. Any device which provides cryptography which is purchased by the US Federal government *must* "be FIPS validated" -- meaning, it must have a mode of operation which has been validated to FIPS 140-1 or FIPS 140-2. Typically, FIPS-validated cryptography is not easily interoperable with non-FIPS-validated cryptography. For example, with Windows Server, if one domain controller is set to "mandate use of FIPS-compliant cryptography" and another domain controller for the same domain is not, those domain controllers will not talk with each other at all (because they have different expectations as to what authentication algorithms and methods are to be used). The practical upshot of this is that the government buys things with "FIPS-validated cryptography" as a mandatory checklist item, but often, they can't follow the security policy to turn it on due to interoperability requirements. OpenSSL is one of the relatively few TLS cryptographic providers which can, even when in non-FIPS mode, negotiate communication with FIPS-validated, FIPS-mode-enabled TLS implementations. (SSLv2 and SSLv3 cannot be used in FIPS mode, because the key agreement mechanism uses/relies on MD5; TLSv1 uses both MD5 and SHA-1, but the NIST guidance is that even though it uses MD5, it is okay to use it because it doesn't rely solely on MD5 to provide its security.) -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
