Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Mon, Sep 15, 2003 at 12:57:55PM -0400, Wei Dai wrote: > > I think I may have found such a written guidance myself. It's guidance > G.5, dated 8/6/2003, in the latest "Implementation Guidance for FIPS > 140-2" on NIST's web site: > http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems > especially relevant: > > For level 1 Operational Environment, the software cryptographic module > will remain compliant with the FIPS 140-2 validation when operating on > any general purpose computer (GPC) provided that: > > a. the GPC uses the specified single user operating system/mode > specified on the validation certificate, or another compatible single > user operating system, and > > b. the source code of the software cryptographic module does not > require modification prior to recompilation to allow porting to another > compatible single user operating system. > (end quote) > > The key word here must be "recompilation". The language in an earlier Unfortunately, another key set of words is "single user". This would seem to significantly limit the value of a software-only certification... - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Sat, Sep 06, 2003 at 03:33:44PM -0400, Wei Dai wrote: > Do you have *written* guidance from NIST/CSE that your approach is ok? > (Not the testing lab, what they say don't really count in the end, and > neither does what NIST/CSE say verbally.) If so can you please post that > written guidance? I think I may have found such a written guidance myself. It's guidance G.5, dated 8/6/2003, in the latest "Implementation Guidance for FIPS 140-2" on NIST's web site: http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems especially relevant: For level 1 Operational Environment, the software cryptographic module will remain compliant with the FIPS 140-2 validation when operating on any general purpose computer (GPC) provided that: a. the GPC uses the specified single user operating system/mode specified on the validation certificate, or another compatible single user operating system, and b. the source code of the software cryptographic module does not require modification prior to recompilation to allow porting to another compatible single user operating system. (end quote) The key word here must be "recompilation". The language in an earlier version of the same guidance was this: b. the software of the cryptographic module does not require modification when ported (platform specific configuration modifications are excluded). which left the source code issue ambiguous, but in practice NIST/CSE did not validate any source code and told everyone verbally that source code could not be validated. I'd love to know how the OpenSSL team got NIST/CSE to change their mind. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Tolga Acar wrote: > Well, that is sort of my point. > SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not > a certified algorithm in OpenSSL's FIPS 140 certification, > sha1-with-rsa isn't, either. > Perhaps, my understanding of the OpenSSL FIPS 140 certification is not > entirely accurate. My fault. RSA is not validated (there are no validation tests for it), but it will be in the code we are submitting for certification. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Rich Salz <[EMAIL PROTECTED]> writes: >Sure, that's why it's *the first.* They have never done this before, and it >is very different to how they (or their Ft Meade experts) have done things >before. I suppose one could argue that they're doing this for Level 1 to >increase the industry demand for Level 2, but I'm not that paranoid. I think >they finally "get it." I think this uniquely broad certification, if permitted, would be mostly a sign that the politicians have finally won out over the certification purists. Let me explain... it's been known for a long time (at least from talking to evaluators, I don't know if NIST will admit to it) that there's large-scale use of unevaluated crypto going on, with the FIPS eval requirement being ignored by USG agencies, contractors, etc etc whenever it gets in the way of them getting their job done. If NIST allow this extremely broad certification, it'd be a sign that they're following the Calvin and Hobbes recipe for success: "The secret to [success] is to lower your expectations to the point where they're already met". In other words the unevaluated crypto problem (or a major part of it) suddenly goes away, and it's possible to report that the certification effort has been wonderfully successful, because a large portion of the noncompliant usage is (at least on paper) magically made compliant overnight. The only potential downside to this is that a pile of vendors who previously got a very narrowly-interpreted certification will presumably be queueing up to do the "I'll have what she's having" thing as soon as an open-ended certification is issued. As with others who have commented on this, I'm going to believe this when I see it. Peter. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Thor Lancelot Simon wrote: On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote: On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. SSL's not certifiable, period. I realize that, FIPS 140 addresses crypto modules with cryptographic algorithms, not protocols like SSL. Although in "cryptomodule" terms "SSL's not certifiable" is not necessarily a correct claim. You can certainly certify one big module including cryptography, including the entire SSL protocol for FIPS 140. That would be somewhat bizzare, though. But, that's not my point. The questions was, how would one claim that he is using FIPS certified cryptography *under* OpenSSL, if the crypto layer does not have a FIPS certified key management (read RSA) algorithm? TLS has been held to be certifiable, and products using TLS have been certified. However, it's necessary to disable any use of MD5 in the certificate validation path. When I had a version of OpenSSL certified for use in a product at my former employer, I had to whack the OpenSSL source to throw an error if in FIPS mode and any part of the certificate validation path called the MD5 functions. Perhaps this has been done in the version currently undergoing certification. You'll also need Yeah, been there. I think my current company (Novell) suggested that, not sure what happened. certificates that use SHA1 as the signing algorithm, which some public CAs cannot provide (though most can, and will if the certificate request itself uses SHA1 as the signing algorithm). Well, that is sort of my point. SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not a certified algorithm in OpenSSL's FIPS 140 certification, sha1-with-rsa isn't, either. Perhaps, my understanding of the OpenSSL FIPS 140 certification is not entirely accurate. The use of MD5 in the TLS protocol itself is okay, because it is always used in combination with SHA1 in the PRF. We got explicit guidance from NIST on this issue. Yes, but I am addressing signature generation and verification, and more importantly key exchange: encrypting the PMS and such. Thor - Tolga - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote: > On a second thought, that there is no key management algorithm > certified, how would one set up a SSL connection in FIPS mode? > > It seems to me that, it is not possible to have a FIPS 140 certified > SSL/TLS session using the OpenSSL's certification. SSL's not certifiable, period. TLS has been held to be certifiable, and products using TLS have been certified. However, it's necessary to disable any use of MD5 in the certificate validation path. When I had a version of OpenSSL certified for use in a product at my former employer, I had to whack the OpenSSL source to throw an error if in FIPS mode and any part of the certificate validation path called the MD5 functions. Perhaps this has been done in the version currently undergoing certification. You'll also need certificates that use SHA1 as the signing algorithm, which some public CAs cannot provide (though most can, and will if the certificate request itself uses SHA1 as the signing algorithm). The use of MD5 in the TLS protocol itself is okay, because it is always used in combination with SHA1 in the PRF. We got explicit guidance from NIST on this issue. Thor - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. - Tolga - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Sat, Sep 06, 2003 at 07:33:55PM +0100, Ben Laurie wrote: > Prepare to be very surprised, then. Do you have *written* guidance from NIST/CSE that your approach is ok? (Not the testing lab, what they say don't really count in the end, and neither does what NIST/CSE say verbally.) If so can you please post that written guidance? > This is all good fun, coz I'm mandating static libraries for OpenSSL, so > that the evidential chain can be maintained (its hard to find a DSO in a > cross-platform manner so you can checksum it). If NIST/CSE is really allowing OpenSSL source code and static libraries to be validated, I should go back to them and demand the same treatment for Crypto++. Who have you been working with on the government's side? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Wei Dai wrote: > On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: > >>You are correct, I just saw Crypto++ in the list of FIPS 140 validated >>modules: >>http://csrc.nist.gov/cryptval/140-1/140val-all.htm >>It is the latest entry, added today. >>Congratulations to Wei Dai! > > > Thanks! Also thanks to Groove Networks (the company I work for) for > spending the money to do the validation. > > >>OpenSSL`s *source code* being evaluated remains exiting. > > > If OpenSSL source code gets validated, I'm going to be very surprised. Prepare to be very surprised, then. > NIST told us in no uncertain terms that only compiled executable code > could be validated. In fact they wouldn't even validate Crypto++ as a > static library despite an earlier verbal agreement that a static > library was ok. It had to be turned into a DLL at the last moment (i.e. > during the review phase). This is all good fun, coz I'm mandating static libraries for OpenSSL, so that the evidential chain can be maintained (its hard to find a DSO in a cross-platform manner so you can checksum it). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Joshua Hill wrote: > On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: > >>In fact they wouldn't even validate Crypto++ as a >>static library despite an earlier verbal agreement that a static >>library was ok. It had to be turned into a DLL at the last moment (i.e. >>during the review phase). > > > That's unfortunate. The answer as to the static vs dynamic library issue > seems to vary according to who at NIST reviews the report. I've never > understood NIST's general objection to static libraries. > > >>(We wanted to avoid making a DLL from Crypto++ since it has so many >>algorithms. With a static library the linker would only bring in the >>algorithms you use, but a DLL has to contain a pre-selected set of >>algorithms. I ended up putting only FIPS Approved algorithms in the >>DLL, and made a second static library that contains only >>non-Approved algorithms, so that both could be used together.) > > > So, having said that, I can say that pulling out bits of the evaluated > module won't fly. All of it would have to go in, or none of it. Further, > the module needs to have some way of checking its authenticity (for the > operating environment area requirements) and its integrity on "power up". > As such, you'll either need to be able to "locate" the module within > the resulting executable, or verify the entire resulting executable. I disagree. OpenSSL has a check of authenticity that works with static libraries and linking only some of the module. I'll shout to this list when I've written down exactly how the process works (or you can look at CVS, coz I checked it in this afternoon [err, I think, I had some weird problems with CVS later, so perhaps waiting a little might be advised]). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
> On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: > > It is the first *source code* certification. > > The ability to do this runs counter to my understanding of FIPS 140-2. Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their Ft Meade experts) have done things before. I suppose one could argue that they're doing this for Level 1 to increase the industry demand for Level 2, but I'm not that paranoid. I think they finally "get it." Also, while I don't know anything beyond what's in the public email, but based on the initial refeference platform I'll jump to some conclusions about who's involved, and they're folks with a great deal of credibility, experience, and influence in export and govt crypto issues. Anyhow, if you are interested in details, read the articles (3 at last check) in the thread from the original URL I posted. You did read before posting, right? :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: > In fact they wouldn't even validate Crypto++ as a > static library despite an earlier verbal agreement that a static > library was ok. It had to be turned into a DLL at the last moment (i.e. > during the review phase). That's unfortunate. The answer as to the static vs dynamic library issue seems to vary according to who at NIST reviews the report. I've never understood NIST's general objection to static libraries. > (We wanted to avoid making a DLL from Crypto++ since it has so many > algorithms. With a static library the linker would only bring in the > algorithms you use, but a DLL has to contain a pre-selected set of > algorithms. I ended up putting only FIPS Approved algorithms in the > DLL, and made a second static library that contains only > non-Approved algorithms, so that both could be used together.) So, having said that, I can say that pulling out bits of the evaluated module won't fly. All of it would have to go in, or none of it. Further, the module needs to have some way of checking its authenticity (for the operating environment area requirements) and its integrity on "power up". As such, you'll either need to be able to "locate" the module within the resulting executable, or verify the entire resulting executable. Josh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Joshua Hill wrote: On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. . and to experiences with the previous FIPS 140-1 certifications I was involved in, including a fairly recent communication from NIST that defines a "crypto module": it is not a statically linked library, and that it ought to be an executable or a shared library (so,dll). Second, it is unclear to me what would be tested during operational testing. The source code can't itself be a module, because the source code doesn't do anything until it is compiled and run. FIPS 140-2 currently only allows for fully functional units to be modules; you'll note, for instance, that FIPS certs for "software" modules are listed as a "multi-chip standalone" embodiment, for instance. NIST was talking about producing documents that would support a true "software only" embodiment, but that initiative seems to have stalled with the change of directors of the CMVP (the NIST group that issues FIPS 140-2 certs). Can you say that the C/asm source code is the "code" that constitutes a "module", and define compiler/linker/OS/CPU as your execution environment for FIPS 140 purposes? Think Java, for instance. I realize this is stretching too thin. and can think of lots of reasons why it can't be. But... Third, nominally, the FIPS certificate only applies to the particular operating system (and OS version) that the operational testing was done on. For level 1 modules, NIST has historically allowed OSes in the same "family" to also be covered, and they have been very liberal in their definition of "family". I have seen evidences that this restriction has become exceptionally loose, and that the "family" can be as broad as "UNIX-like" systems... - Tolga - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: > You are correct, I just saw Crypto++ in the list of FIPS 140 validated > modules: > http://csrc.nist.gov/cryptval/140-1/140val-all.htm > It is the latest entry, added today. > Congratulations to Wei Dai! Thanks! Also thanks to Groove Networks (the company I work for) for spending the money to do the validation. > OpenSSL`s *source code* being evaluated remains exiting. If OpenSSL source code gets validated, I'm going to be very surprised. NIST told us in no uncertain terms that only compiled executable code could be validated. In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). (We wanted to avoid making a DLL from Crypto++ since it has so many algorithms. With a static library the linker would only bring in the algorithms you use, but a DLL has to contain a pre-selected set of algorithms. I ended up putting only FIPS Approved algorithms in the DLL, and made a second static library that contains only non-Approved algorithms, so that both could be used together.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: > It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. First, there are a series of requirements that deal with executable binary authentication that I'm not sure could be met. Second, it is unclear to me what would be tested during operational testing. The source code can't itself be a module, because the source code doesn't do anything until it is compiled and run. FIPS 140-2 currently only allows for fully functional units to be modules; you'll note, for instance, that FIPS certs for "software" modules are listed as a "multi-chip standalone" embodiment, for instance. NIST was talking about producing documents that would support a true "software only" embodiment, but that initiative seems to have stalled with the change of directors of the CMVP (the NIST group that issues FIPS 140-2 certs). Third, nominally, the FIPS certificate only applies to the particular operating system (and OS version) that the operational testing was done on. For level 1 modules, NIST has historically allowed OSes in the same "family" to also be covered, and they have been very liberal in their definition of "family". Those seem like the big problems. NIST has historically been intractable on these issues. That's not to say that they couldn't have changed their mind, but doing so would require that they go against previously issued (formal) guidance and many verbal conversations. I don't want to rain on anyone's parade. If the OpenSSL cert goes through, and the certificate covers the code itself, then I assure you that I'll be cheering just as loudly as anyone. Sadly, I honestly suspect that this won't be the case. It would require too many broad interpretation changes on NIST's part, and it would require that they contradict their previous guidance, which isn't something they do very often. Josh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
> On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: > > If I'm not mistaken, this would be the first free, > > open-source, crypto library that has FIPS 140 module certification! > > I believe that this is incorrect. > > The two open-source projects that I'm aware of that have FIPS 140 certs > are The Crypto++ Library, (cert 343, issued today) and The Mozilla > project's NSS, which was certified by SUN under FIPS 140-1, levels 1 > and 2. (certs 247 and 248). You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! I was not aware of NSS before, their might be others as well which I am not aware of then. OpenSSL`s *source code* being evaluated remains exiting. Thanks for the information Joshua and Rich! --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Anton Stiglic: If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! It is the first *source code* certification. Joshua Hill: The two open-source projects that I'm aware of that have FIPS 140 certs are The Crypto++ Library, (cert 343, issued today) and The Mozilla project's NSS, which was certified by SUN under FIPS 140-1, levels 1 and 2. (certs 247 and 248). #343 is certifying a particular windows DLL for which source is available. Similarly, 247 and 248 are particular instances of Windows and Solaris libraries. In all three of those cases, you can take the source and run it on your o/s, but you need to go get re-certified. The more I think about it, the more amazing this is. Anyone in the world can now build an SSL/TLS application and be FIPS 140-2L1 certified. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: > If I'm not mistaken, this would be the first free, > open-source, crypto library that has FIPS 140 module certification! I believe that this is incorrect. The two open-source projects that I'm aware of that have FIPS 140 certs are The Crypto++ Library, (cert 343, issued today) and The Mozilla project's NSS, which was certified by SUN under FIPS 140-1, levels 1 and 2. (certs 247 and 248). Josh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and Crypto++). And OpenSSL crypto module runs on all kinds of platforms. Really nice! --Anton - Original Message - From: "Rich Salz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 05, 2003 10:50 AM Subject: OpenSSL *source* to get FIPS 140-2 Level 1 certification > This is termendously exciting. For the first time ever, NIST will be > certifying a FIPS 140 implementation based on the source code. As long > as the "pedigree" of the source is tracked, and checked at run-time, > then applications can claim FIPS certification. > > For details: > http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.tw&prev=/groups%3Fgroup%3Dmailing.openssl.users > > /r$ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]