Along, with this, I am also curious to know, how the call FIPS_mode_set make an application FIPS compliant. I have gone through the below link, http://wiki.openssl.org/index.php/FIPS_mode_set() But I am seeking a little more information regarding this.
On Wed, Jul 16, 2014 at 7:11 PM, Sadhana <sadhana...@gmail.com> wrote: > Thanks Steve. > Is there a standard documentation, which says these are FIPS compliant > ciphers / macs / kex algorithms. > > Meaning I would need to know, if aes128-cbc is FIPS compliant/ aes128-ctr > is FIPS compliant. > Similarly for macs, kex algorithms as well. > > > > On Wed, Jul 16, 2014 at 4:47 PM, Steve Marquess-3 [via OpenSSL] < > ml-node+s6102n52085...@n7.nabble.com> wrote: > >> On 07/15/2014 09:38 AM, Sadhana wrote: >> >> > Hello All, >> > >> > I have a requirement to make Openssh FIPS compliant. It would be >> really >> > helpful, if you could answer the >> > below question and correct me if I am wrong. >> > >> > I also understand there is a module called as fipscanister.o is >> introduced >> > in Openssl. >> > This ensures, FIPS compliancy. This also, exposes the API FIPS_mode and >> > FIPS_set_mode. >> > We have already integrated openssl with fipscanister.o. >> > >> > Is there any way by which, Openssh can make use of fipscanister module >> > directly? >> > >> > I understand, Openssh needs to call FIPS_mode, FIPS_set_mode to ensure >> it >> > operates in FIPS mode. >> > I understand, few of the ciphers, MACs, kex algorithms are fips >> compliant >> > and few others are not. >> > Hence, openssh code has to be modified to allow only those which are >> fips >> > compliant. >> > >> > Are there any more stuff which needs to be done? >> >> Yes. Converting an application to use the "FIPS capable" OpenSSL and >> qualify as using a FIPS 140-2 validated crypto module *can* be as simple >> as adding a FIPS_mode_set() call. However, modifying OpenSSH for FIPS >> 140-2 compliance is non-trivial as OpenSSH implements a number of >> cryptographic operations outside of OpenSSL. It's not enough that only >> cryptographic algorithms allowed by FIPS 140-2 are used, those crypto >> operations must be performed *within* a validated module. >> >> Or in other words, an application which hopes to claim to satisfy the >> USG/DoD requirements for FIPS 140-2 validated cryptography must use >> validated module(s) for all relevant cryptography. The "FIPS capable" >> OpenSSL libraries satisfy that requirement but only if OpenSSL is used >> exclusively. >> >> You can find a patch at >> >> >> >> http://opensslfoundation.com/export/openssh/openssh-6.0p1.fips-revised.patch >> >> which adapts a now obsolete version of OpenSSH to use the FIPS capable >> OpenSSL. New inlined cryptography has been added since then so I suspect >> additional non-trivial work will be necessary. I haven't been keeping >> track but other newer patches may be available elsewhere. >> >> Also note than in a U.S. DoD context you'll probably need x.509 support >> as well (this is available in patches from Roumen Petrov). >> >> -Steve M. >> >> -- >> Steve Marquess >> OpenSSL Software Foundation, Inc. >> 1829 Mount Ephraim Road >> Adamstown, MD 21710 >> USA >> +1 877 673 6775 s/b >> +1 301 874 2571 direct >> [hidden email] <http://user/SendEmail.jtp?type=node&node=52085&i=0> >> [hidden email] <http://user/SendEmail.jtp?type=node&node=52085&i=1> >> gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List [hidden email] >> <http://user/SendEmail.jtp?type=node&node=52085&i=2> >> Automated List Manager [hidden email] >> <http://user/SendEmail.jtp?type=node&node=52085&i=3> >> >> >> ------------------------------ >> If you reply to this email, your message will be added to the >> discussion below: >> >> http://openssl.6102.n7.nabble.com/Making-Open-SSH-FIPS-compliant-tp52064p52085.html >> To unsubscribe from Making Open SSH FIPS compliant, click here >> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=52064&code=c2FkaGFuYS4xMkBnbWFpbC5jb218NTIwNjR8LTQ1NjA5NzMw> >> . >> NAML >> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >> > > -- View this message in context: http://openssl.6102.n7.nabble.com/Making-Open-SSH-FIPS-compliant-tp52064p52105.html Sent from the OpenSSL - User mailing list archive at Nabble.com.
