Thanks Steve. Is there a standard documentation, which says these are FIPS compliant ciphers / macs / kex algorithms.
Meaning I would need to know, if aes128-cbc is FIPS compliant/ aes128-ctr is FIPS compliant. Similarly for macs, kex algorithms as well. On Wed, Jul 16, 2014 at 4:47 PM, Steve Marquess-3 [via OpenSSL] < ml-node+s6102n52085...@n7.nabble.com> wrote: > On 07/15/2014 09:38 AM, Sadhana wrote: > > > Hello All, > > > > I have a requirement to make Openssh FIPS compliant. It would be really > > helpful, if you could answer the > > below question and correct me if I am wrong. > > > > I also understand there is a module called as fipscanister.o is > introduced > > in Openssl. > > This ensures, FIPS compliancy. This also, exposes the API FIPS_mode and > > FIPS_set_mode. > > We have already integrated openssl with fipscanister.o. > > > > Is there any way by which, Openssh can make use of fipscanister module > > directly? > > > > I understand, Openssh needs to call FIPS_mode, FIPS_set_mode to ensure > it > > operates in FIPS mode. > > I understand, few of the ciphers, MACs, kex algorithms are fips > compliant > > and few others are not. > > Hence, openssh code has to be modified to allow only those which are > fips > > compliant. > > > > Are there any more stuff which needs to be done? > > Yes. Converting an application to use the "FIPS capable" OpenSSL and > qualify as using a FIPS 140-2 validated crypto module *can* be as simple > as adding a FIPS_mode_set() call. However, modifying OpenSSH for FIPS > 140-2 compliance is non-trivial as OpenSSH implements a number of > cryptographic operations outside of OpenSSL. It's not enough that only > cryptographic algorithms allowed by FIPS 140-2 are used, those crypto > operations must be performed *within* a validated module. > > Or in other words, an application which hopes to claim to satisfy the > USG/DoD requirements for FIPS 140-2 validated cryptography must use > validated module(s) for all relevant cryptography. The "FIPS capable" > OpenSSL libraries satisfy that requirement but only if OpenSSL is used > exclusively. > > You can find a patch at > > > > http://opensslfoundation.com/export/openssh/openssh-6.0p1.fips-revised.patch > > which adapts a now obsolete version of OpenSSH to use the FIPS capable > OpenSSL. New inlined cryptography has been added since then so I suspect > additional non-trivial work will be necessary. I haven't been keeping > track but other newer patches may be available elsewhere. > > Also note than in a U.S. DoD context you'll probably need x.509 support > as well (this is available in patches from Roumen Petrov). > > -Steve M. > > -- > Steve Marquess > OpenSSL Software Foundation, Inc. > 1829 Mount Ephraim Road > Adamstown, MD 21710 > USA > +1 877 673 6775 s/b > +1 301 874 2571 direct > [hidden email] <http://user/SendEmail.jtp?type=node&node=52085&i=0> > [hidden email] <http://user/SendEmail.jtp?type=node&node=52085&i=1> > gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [hidden email] > <http://user/SendEmail.jtp?type=node&node=52085&i=2> > Automated List Manager [hidden email] > <http://user/SendEmail.jtp?type=node&node=52085&i=3> > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://openssl.6102.n7.nabble.com/Making-Open-SSH-FIPS-compliant-tp52064p52085.html > To unsubscribe from Making Open SSH FIPS compliant, click here > <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=52064&code=c2FkaGFuYS4xMkBnbWFpbC5jb218NTIwNjR8LTQ1NjA5NzMw> > . > NAML > <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://openssl.6102.n7.nabble.com/Making-Open-SSH-FIPS-compliant-tp52064p52092.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
