[148331] in cryptography@c2.net mail archive
Re: [Cryptography] Something weird about FIPS 140-2
daemon@ATHENA.MIT.EDU (Stephan Mueller)
Sun Dec 1 15:11:04 2013
X-Original-To: cryptography@metzdowd.com
From: Stephan Mueller <smueller@chronox.de>
To: cryptography@metzdowd.com
Date: Sun, 01 Dec 2013 13:27:03 +0100
In-Reply-To: <CACsn0ckH55cUOeiSxsbDAK=eS93VStX5uZms16FJPyx2=7LhZg@mail.gmail.com>
Cc: Watson Ladd <watsonbladd@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
Am Freitag, 29. November 2013, 20:31:17 schrieb Watson Ladd:
Hi Watson,
> It being the day after Thanksgiving I decided to read crypto
> standards. And in the process of reading FIPS 140-2 I came across
> section 4.6.1, mandating a single operator and no preemption of
> processes doing cryptography. How exactly could OpenSSL on a COTS
> operating system ever meet the requirements of FIPS 140-2 given that
> section?
>
The single operator requirement implies that the module is intended for a
single purpose only. It has NOTHING to do with the single user mode of a
Unix/Linux system.
For example, if you have, say, a system with a webserver that uses OpenSSL
that itself hosts multiple users, you are in line with that FIPS
requirement, because you only have one single user (read: purpose) of the
lib and that is to serve that web server.
The reason for that requirement is that FIPS at level 1 does not place any
requirement on the underlying environment. I.e. you could use something
like DOS to host your system. As there is no requirement for
process/memory separation, there is the requirement that the entire system
is to be used for one dedicated purpose only.
> Could someone deign to explain to me what exactly FIPS validation
> means for software?
Not sure what you are asking here.
> It appears that is nothing beyond an excuse to implement DUAL_EC_DRBG.
This is FUD.
> Sincerely,
> Watson
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
Ciao
Stephan
--
| Cui bono? |
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography