Hi Jeffrey, Thanks for clarification.
I have one question in this. What did you mean by Suite B Algorithms ? Secondly, the ciphers which you mentioned are available in Standard openssl package, or for that we need to have FIPS 140-2 module linked ? Thanks & Regards, Nayna Jain Nexus Tools Development Bangalore, India Contact : 402-56859 From: Jeffrey Walton <noloa...@gmail.com> To: openssl-users@openssl.org Date: 01/10/2013 10:08 PM Subject: Re: How to link openssl FIPS 140-2 object module with openssl binary Sent by: owner-openssl-us...@openssl.org On Thu, Jan 10, 2013 at 11:04 AM, Nayna Jain <naynj...@in.ibm.com> wrote: > Thanks Jeffrey for the quick response. > > I have one more question. > > Actually there is also NIST Recommendations document i.e. NIST SP 800-131 > A. > > To satisfy the requirements for NIST SP 800-131 A , > > 1. Do we need to use FIPS Object library module ? If you are doing business in the Federal arena, you must use validated cryptography. OpenSSL is one way to get validated cryptography in your product. Others include Mocana, Certicom, RSA Data Security, etc. Expect to pay $20,000 or $30,000 US or so to set the account up, before a single license is issued ($25,000 was the quote I got a few years ago). > 2. Do we just need to make sure that we use correct algos /keys from > standard openssl lib ( without FIPS lib) to satisfy NIST SP 800-131 A > requirements ? NIST SP 800-131 speaks to security levels. Security levels for new Federal systems must offer 112-bits of security or higher. You can use a lesser security level to interoperate with existing systems - such as 80-bits (2-key TDEA, SHA1) - but they are being phased out. Below are the algorithms and/or key sizes to achieve the 112-bit security level. Note: MD5 is tolerated, but only as a PRF in TLS 1.0 and TLS 1.1 (it cannot 'stand alone', or as a digest or hmac in a negotiated cipher): 2048 Diffie-Hellman 2048 RSA 224-bit Elliptic Curves (Prime Fields) 233-bit Elliptic Curves (Binary Fields) 3-key TDEA (3-key Triple DES) SHA-224 Related: Suite B algorithms require 128 bits of security. Below are the algorithms and/or key sizes that offer the security level. Note: MD5 is completely banned since TLS 1.2 is required: 3072 Diffie-Hellman 3072 RSA 256-bit Elliptic Curves (Prime Fields) 283-bit Elliptic Curves (Binary Fields) AES-128 SHA-256 So, you have to plug in the required parameters. Jeff > From: Jeffrey Walton <noloa...@gmail.com> > To: openssl-users@openssl.org > Date: 01/10/2013 04:01 PM > Subject: Re: How to link openssl FIPS 140-2 object module with openssl > binary > Sent by: owner-openssl-us...@openssl.org > > > > On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <naynj...@in.ibm.com> wrote: >> >> Hi, >> >> I want to use FIPS compliant algorithms and keys. For that I understand, > I >> need to have Openssl FIPS object library along with default openssl. >> >> However, I am not understanding how to install them. My questions are : >> >> 1. Both are tar.gz. Should I run ./Configure, make and make install for >> both of them and that is done. > No. > > The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config > fipscanisterbuild` > > The FIPS Capable library uses (openssl-1.0.x/ directory): `./config > fips <options>` > >> If this is the case, how does openssl links >> with FIPS object module. > Nothing special is required. You use the FIPS Capable library > (libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS > Object Module (fipscanister.o). Its all transparent to the user. > >> 2. While compiling or building openssl lib itself I need to link it to > FIPS >> object module. If that is the case, where and how do I have to set that >> linking option while building. > Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit > misleading, IIRC). Just link against libcrypto.a, and act like > fipscanister.o does not exist. > >> Please guide. > As requested: openssl.org/docs/fips/UserGuide-2.0.pdf. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org