a_l t wrote:
I understand the requirements of FIPS validation. The product is designed for Federal market so it must has FIPS validation. The code uses only PRNG and AES, it doesn't use any of the other algorithms, that were my question came from. My problem is really not at the start up of the system, there I can wait a minute for the tests to complete. My problem is in cases were the DSP crashes (and unfortunately it happens once in a while). When a crash happens we have a recovery mechanism that loads the DSP again and there I have a problem to wait a minute.
That is a problem, but in the context of the OpenSSL FIPS Object Module you have no alternatives. The Power Up Self Test is an all-or-nothing proposition. You could strip out the other KATs (Known Answer Tests) and algorithms easily enough, but the result wouldn't be validated.
In principle the module and validation could have provided a reduced functionality mode (we've had other requests for a FIPS "lite"), but each such variation drives up the validation costs and schedule. Each such permutation would need to be performed on each platform, doubling the incremental testing cost (i.e. the 8 sets of tests for that validation would have become 16).
-Steve M. -- Steve Marquess Open Source Software Institute marqu...@oss-institute.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
