[14098] in cryptography@c2.net mail archive
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
daemon@ATHENA.MIT.EDU (Tolga Acar)
Mon Sep 8 19:23:31 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 08 Sep 2003 15:21:35 -0600
From: Tolga Acar <t.acar@computer.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <20030908202544.GA29570@rek.tjls.com>
Thor Lancelot Simon wrote:
>On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:
>
>
>>On a second thought, that there is no key management algorithm
>>certified, how would one set up a SSL connection in FIPS mode?
>>
>>It seems to me that, it is not possible to have a FIPS 140 certified
>>SSL/TLS session using the OpenSSL's certification.
>>
>>
>
>SSL's not certifiable, period.
>
>
I realize that, FIPS 140 addresses crypto modules with cryptographic
algorithms, not protocols like SSL.
Although in "cryptomodule" terms "SSL's not certifiable" is not
necessarily a correct claim. You can certainly certify one big module
including cryptography, including the entire SSL protocol for FIPS 140.
That would be somewhat bizzare, though.
But, that's not my point. The questions was, how would one claim that he
is using FIPS certified cryptography *under* OpenSSL, if the crypto
layer does not have a FIPS certified key management (read RSA) algorithm?
>TLS has been held to be certifiable, and products using TLS have been
>certified. However, it's necessary to disable any use of MD5 in the
>certificate validation path. When I had a version of OpenSSL certified
>for use in a product at my former employer, I had to whack the OpenSSL
>source to throw an error if in FIPS mode and any part of the certificate
>
>validation path called the MD5 functions. Perhaps this has been done
>in the version currently undergoing certification. You'll also need
>
Yeah, been there.
I think my current company (Novell) suggested that, not sure what happened.
>certificates that use SHA1 as the signing algorithm, which some public
>CAs cannot provide (though most can, and will if the certificate request
>itself uses SHA1 as the signing algorithm).
>
Well, that is sort of my point.
SHA1 is not a signature algorithm, sha1-with-rsa is, and that RSA is not
a certified algorithm in OpenSSL's FIPS 140 certification,
sha1-with-rsa isn't, either.
Perhaps, my understanding of the OpenSSL FIPS 140 certification is not
entirely accurate.
>The use of MD5 in the TLS protocol itself is okay, because it is always
>used in combination with SHA1 in the PRF. We got explicit guidance from
>NIST on this issue.
>
Yes, but I am addressing signature generation and verification, and more
importantly key exchange: encrypting the PMS and such.
>
>Thor
>
- Tolga
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
