This helps a lot. Thanks for the clarification. -Geoff
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Marquess Sent: Thursday, April 19, 2007 4:48 PM To: openssl-users@openssl.org Subject: Re: RSA Key exchange and FIPS compliance Gatfield, Geoffrey wrote: > > Hello, > > We use OpenSSL for encryption within our application. I am now > enhancing our application to become FIPS compliant. The OpenSSL FIPS > Security Policy lists RSA key wrapping and key establishment as > non-approved. But the policy states that it is included when 80 to 150 > bits of encryption strength are used. So how do I provide a key > exchange if I want FIPS compliance? > > > > Any help is appreciated. > > > > Thanks > > Geoff > If you look at the list of CMVP approved RSA implementations (http://csrc.nist.gov/cryptval/dss/rsaval.html) you will note that the OpenSSL FIPS Object Module, RSA cert #177, has as many or more "merit badges" than almost any other product. The FIPS 140-2 terminology is confusing to the uninitiated, among whom I include myself even after working this validation for five years. RSA encryption/decryption/key wrapping is not "Approved", instead it is classified as "Non-Approved, but allowed for use in FIPS 140-2 mode". RSA sign/verify is "Approved", and hence is listed with the Approved algorithms. You may use either in FIPS 140-2 mode. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]