Bill Colvin wrote: > Raymond: It is possible that the functions you are referring to may be > required to support RSA (key wrapping; key establishment) methodology as > described on page 19 of the Security Policy. > > You also have to take into consideration that all algorithms are > supported in the code, but certain algorithms are disabled once you > enable FIPS MODE.
Sorry to take so long to chime in. You are correct, the meaning of "approved" in the context of FIPS 140-2 can be confusing. As it has been explained to me, RSA encryption/decryption/key wrapping is not "Approved". Instead it is classified as "Non-Approved, but allowed for use in FIPS 140-2 mode", hence the listing in the non-Approved algorithms list. It is permissible to use RSA for encryption/decryption/key wrapping in the FIPS mode of operation. RSA for sign/verify is "Approved" and so appears in the other table of approved algorithms. We took considerable care to disable the use of forbidden algorithms when FIPS mode is enabled, so as a general rule of thumb if it works in FIPS mode and you're not abusing the API in strange and terrible ways then it's legal. -Steve M. > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Raymond Yuan > Sent: July 5, 2007 7:33 PM > To: openssl-users@openssl.org > Subject: Re: OpenSSL FIPS module doesn't support RSA public-key > encryption scheme? > > > > Marek, > > Thanks for your reply. > > That page in security policy, 17& 18, is really what I'm referring > to. Based on that I drew a conclusion that RSA public-key encyrption is > not approvied algorithms in the OpenSSL FIPS module. However in the > FIPS source code in /fips-1.0/rsa/fips_rsa_eay.c , I saw the API > RSA_eay_public_encrypt() and RSA_eay_private_decrypt(). In > fips_rsa_selftest.c, there're self-tests against public-key > encyrption/decryption. It's a little confusing. I'm trying to seek some > explanation from experts on this. > > -Raymond > > ----- Original Message ---- > From: Marek Marcola <[EMAIL PROTECTED]> > To: openssl-users@openssl.org > Sent: Thursday, July 5, 2007 3:08:15 PM > Subject: Re: OpenSSL FIPS module doesn't support RSA public-key > encryption scheme? > > Hello, >> According to my understanding on OpenSSL FIPS module security >> policy, RSA public-key encryption scheme is not approved algorithm in >> the module. However, in OpenSSL FIPS module source code, I saw the API >> like RSA_eay_public_encrypt(). Could someone shed a light on this? > Look at: > > http://www.openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf > > page 17. > -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
