Re: FIPS compliant openssl possible within the FreeBSD build systems?




On Mar 6, 2011, at 7:20 PM, Alexander Sack wrote:

On Sun, Mar 6, 2011 at 5:16 PM, jw011235 <jw011235@xxxxxxxxx> wrote:

On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote:


On 3 Mar 2011, at 18:23, Alexander Sack wrote:

On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack <pisymbol@xxxxxxxxx>
wrote:

Hello:

I am a bit confused! I am reading the FIPS user guide and the
following document:

http://www.openssl.org/docs/fips/fipsnotes.html

I quote

"If even the tiniest source code or build process changes are required
for your intended application, you cannot use the open source based
validated module directly. You must obtain your own validation. This
situation is common; see "Private Label" validation, below. "

Also, the openssl distribution has to match the right PGP keys.

So to those who are more of Openssl/FIPS experts than I, I have some
basic questions:

1) I assume if it impossible to make a FIPS capable openssl
distribution straight out of the FreeBSD source tree without "Private
Validation" as defined in the document above? (i.e. you can certainly
build it this way but you are violating the guidelines for FIPS
Compliance or do the maintainers out of src/crypto/openssl ENSURE that
the distro in that tree is equivalent to the openssl distro, even for
PGP key checks?)

[...]

I guess to put things more simply:

Is the distribution integrated within the FreeBSD source tree been
validated against its PGP keys so it can be built FIPS capable?

For all the imports I did of OpenSSL to the FreeBSD base system (which
means any OpenSSL import since FreeBSD 7.0), the PGP key for the source tar
was verified. That said, in the FreeBSD base system totally replace the
OpenSSL build system and 'manually' apply fixes for the OpenSSL security
issues we certainly don't build OpenSSL unmodified.

I never had a reason to look at OpenSSL FIPS, so I don't really know if
it's possible to get it working on FreeBSD, but it's possible you can
manually build and install stock OpenSSL by hand.

--
Simon L. B. Nielsen
Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer

_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to
"freebsd-security-unsubscribe@xxxxxxxxxxx"


I've been running OpenSSL FIPS for several years now on FreeBSD so it's
certainly possible. It's not terribly hard to compile but I wouldn't do it
through the ports. Download the source ( I used the 0.9 source ) and FIPS
instructions and compile by hand.

Certifying your installation through NIST is an entirely different matter.
My company elected to put off the process until we had a contract to justify
the expense and time involved. You'll have to dig for it, but the NIST
website has details on the process.

Wait, is NIST cert required to be FIPS capable? I don't think so.

-aps

Using the OpenSSL FIPS code is not enough to claim your products or services built upon it are FIPS 140-2 certified. You have to go through the certification process with NIST since they are responsible for the specification. There's a disclaimer with the OpenSSL FIPS instructions and source which basically states as much. I suppose you could claim that you are FIPS 140-2 compliant but I'm not a legal expert and don't know what you may or may not claim in terms of FIPS compliance or "capability".

If you're working with the U.S Government or subcontracting to someone who is, you will eventually need the certification to seal the deal for full funding (or at least be going through the certification process), otherwise, how would they know you meet the specification? (three letter agencies tend to be sticklers for wanting proof of that sort of thing :P) If you're not doing business with Uncle Sam then no problem, but then why bother with FIPS 140-2? It's basically a pain. YMMV, but that's your business.

Regards,
Jason Williams



_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: FIPS compliant openssl possible within the FreeBSD build systems?
    ... the openssl distribution has to match the right PGP keys. ... I assume if it impossible to make a FIPS capable openssl ... Is the distribution integrated within the FreeBSD source tree been ...
    (FreeBSD-Security)
  • Re: OpenSSL Hacks
    ... FIPS 140-x does not include a full security review. ... For a level 1 software validation, such as OpenSSL has achieved, this ... Appendix B of the provided Security Policy ... specifies the complete set of source files of this module. ...
    (sci.crypt)
  • Re: FIPS compliant openssl possible within the FreeBSD build systems?
    ... the openssl distribution has to match the right PGP keys. ...  I assume if it impossible to make a FIPS capable openssl ... Is the distribution integrated within the FreeBSD source tree been ...
    (FreeBSD-Security)
  • Re: OpenSSL receives FIPS 140-2 certification
    ... > IT Security Laboratory, PreVal Specialists, Inc., and representatives ... > from the OpenSSL Project. ... > SUSE Linux 9.0. ... The OpenSSL FIPS Cryptographic Module, ...
    (sci.crypt)
  • Re: [FDE] How important is FIPS 140-2 Level 1 cert?
    ... | FIPS 140-2 Level 1 certification. ... | If two products have exactly same feature set, but one is FIPS ... the point of indifference -- the differential ... on anything regardless"), and risk aversion. ...
    (Security-Basics)