Hi all, I have an application that uses OpenSSL and AES 192-bit keys to encrypt data [files]. In it's original incarnation, it used PBKDF2 to derive the key. In its newer form, it uses a FIPS approved PRNG to generate a random key and the key is encrypted with a large RSA key for recovery. The key can also be stored into an HSM etc. We want to use the FIPS 140-2 compliant OpenSSL module for certain customers.
Anyway, when analyzing the code, I found that the current implementation is using CBC mode but with a fixed IV for every operation - not random or nonce based. When interpreting FIPS 140-2, my understanding is that only approved security functions can be used in FIPS 140-2 compliant mode. Therefore, I assume that I need to refer to FIPS 197 for the AEA standard and SP800-38a for operation of block mode ciphers. Appendix C of SP800-38a states that 'for CBC and CFB modes, the IVs must be unpredictable" and details two methods for this. As we are not following SP800-38a, which states 'must', does that invalidate the FIPS 140-2 compliance of AES use? SP800-38a is only a recommendations publication, but does state that conformance testing of the specified modes of operation [...] will be conducted within the framework of the CMVP. Thanks for any advice or comment, Regards, Carl ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
