I'm new to the OpenSSL/FIPS discussion and I am not familiar with OpenSSL for FIPS but I do have some experience with FIPS certification.
First of all I assume that we are talking about FIPS 140-2 [or 3 but that's not mandatory anywhere yet]. There are also FIPS publications on the cryptographic algorithm transforms and the NIST offers certifications that a particular implementation meets the standard. Those NIST certifications are necessary but by no means sufficient to get a FIPS 140 certification. As Kyle Hamilton mentioned in an earlier post FIPS 140 certifies a cryptographic module and a lot of effort goes in to guaranteeing that no secret passes over that boundary. If you are building a crypto board or chip then the boundary can be the board or chip. If you are using software then the CM boundary is going to be the box that contains your whole system. I am not familiar with what OpenSSL FIPS version offers but there are lots of things that could be helpful to gaining FIPS 140 certification. Examples are cryptographically signed and tested bootloading, certain self test capabilities and administrator authentication are some of the requirements. In short using OpenSSL may help in getting FIPS 140 but it is not the whole story by a long shot. Now perhaps someone familiar with Open SSL FIPS could explain what makes it FIPS. Regards, Hank Cohen Hifn > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Richard Salz > Sent: Wednesday, April 12, 2006 8:10 PM > To: openssl-users@openssl.org > Subject: Re: Not FIPS if app uses other crypto? > > It seems to me that the question is this: can an application use two > FIPS-certified toolkits at the same time? For example, a > FIPS certified > device for doing private key operations, and FIPS software for doing > symmetric key operations. The answer is yes. (There will be > issues and > difficulties, of course: sharing key material, for example, may be > impossible.) > > Most applications using FIPS toolkits use hardware devices or > binary-only > libraries, where the API is not changeable. As an open source > distribution, the caveat to "stay within the boundaries" by not using > other than the FIPS API's is worth particular mention. > > /r$ > > -- > SOA Appliances > Application Integration Middleware > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
