Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Mon, Sep 15, 2003 at 12:57:55PM -0400, Wei Dai wrote: I think I may have found such a written guidance myself. It's guidance G.5, dated 8/6/2003, in the latest Implementation Guidance for FIPS 140-2 on NIST's web site: http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems especially relevant: For level 1 Operational Environment, the software cryptographic module will remain compliant with the FIPS 140-2 validation when operating on any general purpose computer (GPC) provided that: a. the GPC uses the specified single user operating system/mode specified on the validation certificate, or another compatible single user operating system, and b. the source code of the software cryptographic module does not require modification prior to recompilation to allow porting to another compatible single user operating system. (end quote) The key word here must be recompilation. The language in an earlier Unfortunately, another key set of words is single user. This would seem to significantly limit the value of a software-only certification... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Rich Salz [EMAIL PROTECTED] writes: Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their Ft Meade experts) have done things before. I suppose one could argue that they're doing this for Level 1 to increase the industry demand for Level 2, but I'm not that paranoid. I think they finally get it. I think this uniquely broad certification, if permitted, would be mostly a sign that the politicians have finally won out over the certification purists. Let me explain... it's been known for a long time (at least from talking to evaluators, I don't know if NIST will admit to it) that there's large-scale use of unevaluated crypto going on, with the FIPS eval requirement being ignored by USG agencies, contractors, etc etc whenever it gets in the way of them getting their job done. If NIST allow this extremely broad certification, it'd be a sign that they're following the Calvin and Hobbes recipe for success: The secret to [success] is to lower your expectations to the point where they're already met. In other words the unevaluated crypto problem (or a major part of it) suddenly goes away, and it's possible to report that the certification effort has been wonderfully successful, because a large portion of the noncompliant usage is (at least on paper) magically made compliant overnight. The only potential downside to this is that a pile of vendors who previously got a very narrowly-interpreted certification will presumably be queueing up to do the I'll have what she's having thing as soon as an open-ended certification is issued. As with others who have commented on this, I'm going to believe this when I see it. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. - Tolga - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote: On a second thought, that there is no key management algorithm certified, how would one set up a SSL connection in FIPS mode? It seems to me that, it is not possible to have a FIPS 140 certified SSL/TLS session using the OpenSSL's certification. SSL's not certifiable, period. TLS has been held to be certifiable, and products using TLS have been certified. However, it's necessary to disable any use of MD5 in the certificate validation path. When I had a version of OpenSSL certified for use in a product at my former employer, I had to whack the OpenSSL source to throw an error if in FIPS mode and any part of the certificate validation path called the MD5 functions. Perhaps this has been done in the version currently undergoing certification. You'll also need certificates that use SHA1 as the signing algorithm, which some public CAs cannot provide (though most can, and will if the certificate request itself uses SHA1 as the signing algorithm). The use of MD5 in the TLS protocol itself is okay, because it is always used in combination with SHA1 in the PRF. We got explicit guidance from NIST on this issue. Thor - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also thanks to Groove Networks (the company I work for) for spending the money to do the validation. OpenSSL`s *source code* being evaluated remains exiting. If OpenSSL source code gets validated, I'm going to be very surprised. NIST told us in no uncertain terms that only compiled executable code could be validated. In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). (We wanted to avoid making a DLL from Crypto++ since it has so many algorithms. With a static library the linker would only bring in the algorithms you use, but a DLL has to contain a pre-selected set of algorithms. I ended up putting only FIPS Approved algorithms in the DLL, and made a second static library that contains only non-Approved algorithms, so that both could be used together.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Joshua Hill wrote: On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. . and to experiences with the previous FIPS 140-1 certifications I was involved in, including a fairly recent communication from NIST that defines a crypto module: it is not a statically linked library, and that it ought to be an executable or a shared library (so,dll). Second, it is unclear to me what would be tested during operational testing. The source code can't itself be a module, because the source code doesn't do anything until it is compiled and run. FIPS 140-2 currently only allows for fully functional units to be modules; you'll note, for instance, that FIPS certs for software modules are listed as a multi-chip standalone embodiment, for instance. NIST was talking about producing documents that would support a true software only embodiment, but that initiative seems to have stalled with the change of directors of the CMVP (the NIST group that issues FIPS 140-2 certs). Can you say that the C/asm source code is the code that constitutes a module, and define compiler/linker/OS/CPU as your execution environment for FIPS 140 purposes? Think Java, for instance. I realize this is stretching too thin. and can think of lots of reasons why it can't be. But... Third, nominally, the FIPS certificate only applies to the particular operating system (and OS version) that the operational testing was done on. For level 1 modules, NIST has historically allowed OSes in the same family to also be covered, and they have been very liberal in their definition of family. I have seen evidences that this restriction has become exceptionally loose, and that the family can be as broad as UNIX-like systems... - Tolga - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). That's unfortunate. The answer as to the static vs dynamic library issue seems to vary according to who at NIST reviews the report. I've never understood NIST's general objection to static libraries. (We wanted to avoid making a DLL from Crypto++ since it has so many algorithms. With a static library the linker would only bring in the algorithms you use, but a DLL has to contain a pre-selected set of algorithms. I ended up putting only FIPS Approved algorithms in the DLL, and made a second static library that contains only non-Approved algorithms, so that both could be used together.) So, having said that, I can say that pulling out bits of the evaluated module won't fly. All of it would have to go in, or none of it. Further, the module needs to have some way of checking its authenticity (for the operating environment area requirements) and its integrity on power up. As such, you'll either need to be able to locate the module within the resulting executable, or verify the entire resulting executable. Josh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. Sure, that's why it's *the first.* They have never done this before, and it is very different to how they (or their Ft Meade experts) have done things before. I suppose one could argue that they're doing this for Level 1 to increase the industry demand for Level 2, but I'm not that paranoid. I think they finally get it. Also, while I don't know anything beyond what's in the public email, but based on the initial refeference platform I'll jump to some conclusions about who's involved, and they're folks with a great deal of credibility, experience, and influence in export and govt crypto issues. Anyhow, if you are interested in details, read the articles (3 at last check) in the thread from the original URL I posted. You did read before posting, right? :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Joshua Hill wrote: On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote: In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). That's unfortunate. The answer as to the static vs dynamic library issue seems to vary according to who at NIST reviews the report. I've never understood NIST's general objection to static libraries. (We wanted to avoid making a DLL from Crypto++ since it has so many algorithms. With a static library the linker would only bring in the algorithms you use, but a DLL has to contain a pre-selected set of algorithms. I ended up putting only FIPS Approved algorithms in the DLL, and made a second static library that contains only non-Approved algorithms, so that both could be used together.) So, having said that, I can say that pulling out bits of the evaluated module won't fly. All of it would have to go in, or none of it. Further, the module needs to have some way of checking its authenticity (for the operating environment area requirements) and its integrity on power up. As such, you'll either need to be able to locate the module within the resulting executable, or verify the entire resulting executable. I disagree. OpenSSL has a check of authenticity that works with static libraries and linking only some of the module. I'll shout to this list when I've written down exactly how the process works (or you can look at CVS, coz I checked it in this afternoon [err, I think, I had some weird problems with CVS later, so perhaps waiting a little might be advised]). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Wei Dai wrote: On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote: You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! Thanks! Also thanks to Groove Networks (the company I work for) for spending the money to do the validation. OpenSSL`s *source code* being evaluated remains exiting. If OpenSSL source code gets validated, I'm going to be very surprised. Prepare to be very surprised, then. NIST told us in no uncertain terms that only compiled executable code could be validated. In fact they wouldn't even validate Crypto++ as a static library despite an earlier verbal agreement that a static library was ok. It had to be turned into a DLL at the last moment (i.e. during the review phase). This is all good fun, coz I'm mandating static libraries for OpenSSL, so that the evidential chain can be maintained (its hard to find a DSO in a cross-platform manner so you can checksum it). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and Crypto++). And OpenSSL crypto module runs on all kinds of platforms. Really nice! --Anton - Original Message - From: Rich Salz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, September 05, 2003 10:50 AM Subject: OpenSSL *source* to get FIPS 140-2 Level 1 certification This is termendously exciting. For the first time ever, NIST will be certifying a FIPS 140 implementation based on the source code. As long as the pedigree of the source is tracked, and checked at run-time, then applications can claim FIPS certification. For details: http://groups.google.com/groups?dq=hl=enlr=ie=UTF-8threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.twprev=/groups%3Fgroup%3Dmailing.openssl.users /r$ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! I believe that this is incorrect. The two open-source projects that I'm aware of that have FIPS 140 certs are The Crypto++ Library, (cert 343, issued today) and The Mozilla project's NSS, which was certified by SUN under FIPS 140-1, levels 1 and 2. (certs 247 and 248). Josh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
