----- Original Message -----
From: "Kyle Hamilton" <aerow...@gmail.com>
To: "openssl-users" <openssl-users@openssl.org>
Sent: Friday, February 27, 2009 1:14 AM
Subject: Re: FIPS
Take everything I say here with a grain of salt: I'm not a FIPS
expert, and it's entirely possible that I am misinterpreting something
that I read. If Steve M wants to weigh in and verify or debunk my
interpretation, I would not object! :)
<snip>
*: You actually can use other FIPS-validated modules to provide
cryptographic services to your application, but if you want to move
key data from one module to another you must first export it, with
encryption, from the one module that has it -- and then import it into
the other module and only then decrypt it. With OpenSSL, no
key-storage facilities are present, so you don't have much to worry
about on this score -- just remember that FIPS mandates that any
key-storage facilities only release their private and symmetric keys
once they've been encrypted.
Kyle,
Sorry to butt in on this thread. That was an excellent explanation, thanks.
Where, in FIPS140-2, does it mandate this level of key protection for
security level 1 or 2? Or, are you talking about the envelope of the process
using the crypto module rather than the crypto module envelope? NIST SP
800-57 has recommendations, but I couldn't see this in 140-2.
Thanks,
Carl
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
