[148331] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: [Cryptography] Something weird about FIPS 140-2

daemon@ATHENA.MIT.EDU (Stephan Mueller)
Sun Dec 1 15:11:04 2013

X-Original-To: cryptography@metzdowd.com
From: Stephan Mueller <smueller@chronox.de>
To: cryptography@metzdowd.com
Date: Sun, 01 Dec 2013 13:27:03 +0100
In-Reply-To: <CACsn0ckH55cUOeiSxsbDAK=eS93VStX5uZms16FJPyx2=7LhZg@mail.gmail.com>
Cc: Watson Ladd <watsonbladd@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com

Am Freitag, 29. November 2013, 20:31:17 schrieb Watson Ladd:

Hi Watson,

> It being the day after Thanksgiving I decided to read crypto
> standards. And in the process of reading FIPS 140-2 I came across
> section 4.6.1, mandating a single operator and no preemption of
> processes doing cryptography. How exactly could OpenSSL on a COTS
> operating system ever meet the requirements of FIPS 140-2 given that
> section?
> 
The single operator requirement implies that the module is intended for a 
single purpose only. It has NOTHING to do with the single user mode of a 
Unix/Linux system.

For example, if you have, say, a system with a webserver that uses OpenSSL 
that itself hosts multiple users, you are in line with that FIPS 
requirement, because you only have one single user (read: purpose) of the 
lib and that is to serve that web server.

The reason for that requirement is that FIPS at level 1 does not place any 
requirement on the underlying environment. I.e. you could use something 
like DOS to host your system. As there is no requirement for 
process/memory separation, there is the requirement that the entire system 
is to be used for one dedicated purpose only.


> Could someone deign to explain to me what exactly FIPS validation
> means for software?

Not sure what you are asking here.

> It appears that is nothing beyond an excuse to implement DUAL_EC_DRBG.

This is FUD.

> Sincerely,
> Watson
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography


Ciao
Stephan
-- 
| Cui bono? |
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
home help back first fref pref prev next nref lref last post