[Cryptography] Something weird about FIPS 140-2
Stephan Mueller
smueller at chronox.de
Sun Dec 1 07:27:03 EST 2013
Am Freitag, 29. November 2013, 20:31:17 schrieb Watson Ladd:
Hi Watson,
> It being the day after Thanksgiving I decided to read crypto
> standards. And in the process of reading FIPS 140-2 I came across
> section 4.6.1, mandating a single operator and no preemption of
> processes doing cryptography. How exactly could OpenSSL on a COTS
> operating system ever meet the requirements of FIPS 140-2 given that
> section?
>
The single operator requirement implies that the module is intended for a
single purpose only. It has NOTHING to do with the single user mode of a
Unix/Linux system.
For example, if you have, say, a system with a webserver that uses OpenSSL
that itself hosts multiple users, you are in line with that FIPS
requirement, because you only have one single user (read: purpose) of the
lib and that is to serve that web server.
The reason for that requirement is that FIPS at level 1 does not place any
requirement on the underlying environment. I.e. you could use something
like DOS to host your system. As there is no requirement for
process/memory separation, there is the requirement that the entire system
is to be used for one dedicated purpose only.
> Could someone deign to explain to me what exactly FIPS validation
> means for software?
Not sure what you are asking here.
> It appears that is nothing beyond an excuse to implement DUAL_EC_DRBG.
This is FUD.
> Sincerely,
> Watson
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
Ciao
Stephan
--
| Cui bono? |
More information about the cryptography
mailing list