Christian Weber wrote:
Dear OpenSSL developers,
currently, there are two FIPS certificates (#1111 and #1051) which
state software version 1.2 (built upon OpenSSL 0.9.8) to comply with
FIPS 140-2.
Correct, those two cryptographic modules have been validated by the CMVP
(http://csrc.nist.gov/groups/STM/cmvp/index.html).
Both, the library (under certain environments) and the program (CLI
frontend), have been validated (not certified).
Incorrect. The two referenced validations are for very specifically
defined cryptographic modules. By 'program (CLI frontend)' you are
presumably thinking of the "fips_test_suite" program, and/or perhaps the
"fips_*" utility programs used for the algorithm tests. Those are not
contained within the cryptographic module boundary and hence are
validated per se. Of course they don't need to be validated because
they don't implement the cryptography for which validation is appropriate.
BTW the pedantically correct term is "FIPS 140-2 validation", not
"certification", though the latter term is often seen and taken to mean
the same thing.
I'm unsure what that validation really means. Does it mean that
following the policies leads to a software module that passes the
predefined tests, or is there some more evidence that library and
runtime do work correctly.
FIPS 140-2 validation of a cryptographic module ("product") means that
the CMVP has decreed that the product is validated when the conditions
in the associated Security Policy document are satisfied. Only the CMVP
can make that determination. The somewhat opaque process by which they
make such determinations often puzzles us laymen, but it is what it is.
Whether the library 'works correctly', in the real-world sense of an
application developer or end user, is irrelevant to the FIPS 140-2
validation. Actual utility of the validated product isn't a concern or
consideration. Note the CMVP specifically disavows any assertion of
reliability or warranty right on the validation certificates.
Is there any documentation beyond the contents of the current
projects website at http://www.openssl.org/ that shows the
correctness of the implementation of the provided cryptographic
functions?
Check out the User Guide,
http://www.openssl.org/docs/fips/UserGuide-1.2.pdf, which was written as
a more detailed complement to the Security Policy. Note, however, than
unlike the Security Policy the User Guide has not been specifically
reviewed and officially approved by the CMVP.
I guess that before and during validation process much more
documentation must have been produced.
Indeed. However a FIPS 140-2 validation is a non-transparent process
where secrecy is the default -- even for open source software where no
trade secret or proprietary information concerns exist. Much of the
relevant documentation I (as the consultant representing vendors for
validations) am not even allowed to see, much of the rest I'm not
allowed to reveal under non-disclosure restrictions.
-Steve M.
--
Steve Marquess
Veridical Systems, Inc.
marqu...@veridicalsystems.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org