I have a question about storage of private keys outside of the FIPS
module and about CSPs in general -
In section 4.1, Rules of Operation, rule 10 is given as:
"Secret or private keys that are input or output from an application
must be input or output in encrypted form using a FIPS approved algorithm".
What are the implications or this?
If keys are input in an encrypted form how do you decrypt them?
Doesn't the key you use to decrypt them have to be input into the
application in an encrypted form too, how do you ever input an
unencrypted key into your application to decrypt your encrypted keys?!
Is this rule implying that for your application to be FIPS 14-2
compliant you have to passphrase protect all your keys? Does a
passphrase not count as a key when input into your application?
Also in section 4.4, Critical Security Parameters, OpenSSH is given as
an example and it says:
"The persistent per-user CSPs (public and private keys) are stored in
the ~/.ssh/ subdirectory and the application enforces the presence of
appropriate permissions (private key owned by the user account and not
world readable or group writable)"
This doesn't mention any kind of encryption for the keys (I believe
encrypting private keys is optional in OpenSSH?).
So basically, what kind of protection do you have to have for private
keys and CSPs to conform to the security policy?
- Mike.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
