Re: Drbg kat test data: Openssl-fips 2.0.16

2019-07-15 Thread Mark Minnoch 
Manish asked:

> There is DRBG kat test data in fips_drbg_selftest.h. (Openssl-fips-2.0.16)
> Can anyone let me know, What is the source of this constant arrays. NIST
> link or any other  source will be helpful?

I'm pretty sure that the test data for the DRBG KAT (known answer test)
came from the NIST algorithm test tool when the OpenSSL team tested all of
the algorithm implementations.

The CAVP also posts sample test vectors if you are looking for that sort of
thing:
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/random-number-generators#DRBG

Mark J. Minnoch
Co-Founder, CISSP
KeyPair Consulting
+1 (805) 550-3231 <(805)%20550-3231> mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*Blog post: You Have Your FIPS Certificate. Now What?
*

Re: [openssl-users] [openssl-project] OpenSSL 3.0 and FIPS Update

2019-02-15 Thread Mark Minnoch 
Responding to some earlier questions:

> Can you give any guidance on which platforms will be validated with the
OpenSSL FIPS 3.0 module?  My recollection is that it will only be a handful
of platforms.

I would expect the number of platforms to be small. The wonderful 5
sponsors of the FIPS project will likely direct the initial platforms.

> Any additional information about how other platforms can be validated
would also be helpful.

My company, KeyPair Consulting, performs FIPS testing for new platforms for
the OpenSSL FOM 2.0. We plan to continue this service for the OpenSSL FIPS
Module for 3.0.

-- 
Mark J. Minnoch
Co-Founder, CISSP
KeyPair Consulting
+1 (805) 550-3231 <(805)%20550-3231> mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*Blog post: You Have Your FIPS Certificate. Now What?
*

Re: [openssl-users] OpenSSL FIPS Object Module 2.0 on CD

2018-06-20 Thread Mark Minnoch 
I'm responding to a previous post about obtaining a CD of the OpenSSL FIPS
Object Module from KeyPair Consulting rather than directly from OpenSSL.
The question is:

> Just curious, but does this satisfy Section 6.6 of the User Guide,
> since the CD does not come directly from the OpenSSL Foundation?

That's a great question. KeyPair Consulting will send a copy of the OpenSSL
FOM on CD to people that choose not to use the following options:

The best way to get the OpenSSL FIPS Object Module distribution is directly
from OpenSSL at https://www.openssl.org/source/

The second best way is to get the OpenSSL FIPS Object Module CD directly
from OpenSSL (as described in the OpenSSL FOM Security Policy and User
Guide).

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 <(805)%20550-3231> mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*New blog post: You Have Your FIPS Certificate. Now What?
*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL FIPS Object Module 2.0 on CD

2018-06-20 Thread Mark Minnoch 
If you are looking for a copy of the OpenSSL FIPS Object Module (versions
2.0 to 2.0.16) delivered to you on CD, then please send an email to
c...@keypair.us with your shipping address.

We will send you a copy of the original OpenSSL FOM CD.

For details, see: https://keypair.us/2018/05/cd/

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 <(805)%20550-3231> mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*New blog post: You Have Your FIPS Certificate. Now What?
*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS 140-2 certification

2018-06-20 Thread Mark Minnoch 
Oleg wrote:
> We would like to add to our product OpenSSL with FIPS 140-2 module. The
problem is that our OS
> and CPUs are not FIPS certified. We use vxWorks 5.5.1 with 3 types of
CPUs in different products.
>
> How can we get certification for these environments? OSF answered that
they do not do FIPS
> consulting work anymore. Can somebody explain what is the process and
cost to get such
> certification?

My company, KeyPair Consulting, helps our Clients with FIPS 140-2 testing
for the OpenSSL FIPS Object Module. I sent Oleg a direct message with
additional details. Our service is described here:
https://keypair.us/private-labels/

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 <(805)%20550-3231> mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*New blog post: You Have Your FIPS Certificate. Now What?
*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS Non?-Approved Cryptographic Functions

2018-03-14 Thread Mark Minnoch 
> From the OpenSSL FIPS Security Policy chapter 4, it mentioned there are a
> number of non-FIPS approved algorithms/ services which are still
> implemented by the FIPS canister modules (e.g. RSA, DSA, DRDB, ECDSA etc).
>
> Just wondering why these algorithms are still implemented by FIPS
Canister.
>
> The concern is, if these algorithms could still be used under FIPS mode,
> there is risk that the applications which use the FIPS canister modules
may
> become non-FIPS compliant if these algorithms are used by mistake.

You are correct. It is possible for an application to use the OpenSSL FOM
in a non-approved way by calling a non-approved service listed in Table 4c
of the OpenSSL FOM Security Policy. I'm sure it was easier for the OpenSSL
team to make documentation changes (rather than making coding changes and
performing additional FIPS testing) to maintain the validity of the FIPS
certificate when the SP 800-131A transitions were enforced.

A coding change to the FIPS canister would require review by the FIPS
Laboratory. If any of the updates were found to be security relevant (from
a FIPS perspective), then a FIPS revalidation effort involving additional
testing would be required. As you know, there are many, many, many "Tested
Configurations" (operating systems+hardware platforms) listed for the
OpenSSL FOM certificates. A revalidation would result in a new OpenSSL FOM
FIPS certificate and all of the previously tested configurations (that
people care about) would need to be retested. Yikes.

Here is some background for those interested...
At the time of the original OpenSSL FOM validation, FIPS 140-2 allowed the
use of an ANS X9.31 RNG. Digital signature functions could be performed
using key sizes that provided an equivalent strength of 80 bits or greater.
With the transition timelines documented in SP 800-131A, FIPS modules today
must use only SP 800-90A DRBGs (for key generation) and >= 112 bits of
equivalent strength for digital signature functions (although digital
signature verification may be performed at previously allowed key sizes for
legacy purposes). The services provided by the OpenSSL FOM that do not meet
current SP 800-131A requirements are now listed as non-approved services in
Table 4c of the OpenSSL FOM Security Policy.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 mobile
https://KeyPair.us
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*

*New blog post: You Have Your FIPS Certificate. Now What?
*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 key wrapping transition

2018-03-02 Thread Mark Minnoch 
The OpenSSL FOM Cert. #1747 will not be moved to the CMVP Historical List since 
it does not implement a non-compliant AES key wrapping service in the defined 
cryptographic boundary.

All of the FIPS modules that implement a non-compliant AES key wrapping service 
have already been moved to the Historical List.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting Inc.
+1 (805) 550-3231 mobile
https://KeyPair.us 
https://www.linkedin.com/in/minnoch
 
We expertly guide technology companies in achieving their FIPS goals






signature.asc
Description: Message signed with OpenPGP
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS certification for openssl

2017-11-29 Thread Mark Minnoch 
If you need a FIPS resource for the OpenSSL FIPS Object Module -- my
business partner (Steve Weymann) and I worked with Steve Marquess when we
were at a FIPS Testing Lab to achieve the FIPS 140-2 Cert. #1747 for the
OpenSSL FIPS Object Module.

We are now helping technology companies that need FIPS testing of the
OpenSSL FOM on specific operating systems. We also perform Private Label
validations to rebrand the OpenSSL FOM for our clients.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting
+1 (805) 550-3231 mobile
https://KeyPair.us
https://www.linkedin.com/in/minnoch

*We expertly guide technology companies in achieving their FIPS 140 goals*
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users