Hi Steve, Thank you very much for the response. I have one more question. In order use a FIPS 140-2 certified TPM hardware in OpenSSL FIPS enabled environment, do I have to add engine support in OpenSSL FIPS Object Module and go for private label?
Regards Jayalakshmi On Fri, Jul 4, 2014 at 8:36 PM, Steve Marquess < marqu...@opensslfoundation.com> wrote: > On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote: > > On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: > > > >> Hi All, > >> > >> We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our > >> product. Recently we have added TPM support. TPM chip is not FIPS > >> compliant. Hence in FIPS mode none of the SSL applications are working. > >> > >> I wanted inputs on the following questions. I would be grateful to > receive > >> any help. > >> > >> 1. According to FIPS user guide *OpenSSL FIPS 140-2 User Guide : 2.6.2 > >> Algorithms Available in FIPS Mode, *with the current TPM chip we cannot > >> make the device FIPS complaint. Is my understanding correct? > >> > > > > If the TPM chip is not FIPS compliant then nothing you can do will > change that. > > Keep in mind that at Level 1 it isn't "the device" that is FIPS 140-2 > validated, but rather the cryptography that it uses (in the form of one > or more FIPS 140-2 validated cryptographic "modules"). > > You meet the USG/DoD procurement requirements for FIPS 140-2 validated > crypto when *all* of the crypto your device/product/application uses is > FIPS 140-2 validated. > > As a *practical* matter you may gain some advantage with *some* USG/DoD > customers if only *some* of the crypto used by your > device/product/application is validated, but you aren't truly in > compliance with those procurement requirements and don't want to > represent yourself as such. > > Note that this partial use of validated crypto does appear to be rather > common, albeit improper. For instance, any vendor who ships a turnkey > product based on Linux or Android is probably not using FIPS 140-2 > validated crypto exclusively as there are (at present) no open source > based validated implementations of kernel crypto as used by the kernel > itself and by protocols like IPsec. So you really need to let your > marketing and senior management folks make the call. > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > marqu...@opensslfoundation.com > marqu...@openssl.com > gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
