Hi Jeffrey,
Thanks for clarification.
I have one question in this. What did you mean by Suite B Algorithms ?
Secondly, the ciphers which you mentioned are available in Standard openssl
package, or for that we need to have FIPS 140-2 module linked ?
Thanks & Regards,
Nayna Jain
Nexus Tools Development
Bangalore, India
Contact : 402-56859
From: Jeffrey Walton <noloa...@gmail.com>
To: openssl-users@openssl.org
Date: 01/10/2013 10:08 PM
Subject: Re: How to link openssl FIPS 140-2 object module with openssl
binary
Sent by: owner-openssl-us...@openssl.org
On Thu, Jan 10, 2013 at 11:04 AM, Nayna Jain <naynj...@in.ibm.com> wrote:
> Thanks Jeffrey for the quick response.
>
> I have one more question.
>
> Actually there is also NIST Recommendations document i.e. NIST SP 800-131
> A.
>
> To satisfy the requirements for NIST SP 800-131 A ,
>
> 1. Do we need to use FIPS Object library module ?
If you are doing business in the Federal arena, you must use validated
cryptography. OpenSSL is one way to get validated cryptography in your
product.
Others include Mocana, Certicom, RSA Data Security, etc. Expect to pay
$20,000 or $30,000 US or so to set the account up, before a single
license is issued ($25,000 was the quote I got a few years ago).
> 2. Do we just need to make sure that we use correct algos /keys from
> standard openssl lib ( without FIPS lib) to satisfy NIST SP 800-131 A
> requirements ?
NIST SP 800-131 speaks to security levels.
Security levels for new Federal systems must offer 112-bits of
security or higher.
You can use a lesser security level to interoperate with existing
systems - such as 80-bits (2-key TDEA, SHA1) - but they are being
phased out.
Below are the algorithms and/or key sizes to achieve the 112-bit
security level. Note: MD5 is tolerated, but only as a PRF in TLS 1.0
and TLS 1.1 (it cannot 'stand alone', or as a digest or hmac in a
negotiated cipher):
2048 Diffie-Hellman
2048 RSA
224-bit Elliptic Curves (Prime Fields)
233-bit Elliptic Curves (Binary Fields)
3-key TDEA (3-key Triple DES)
SHA-224
Related: Suite B algorithms require 128 bits of security. Below are
the algorithms and/or key sizes that offer the security level. Note:
MD5 is completely banned since TLS 1.2 is required:
3072 Diffie-Hellman
3072 RSA
256-bit Elliptic Curves (Prime Fields)
283-bit Elliptic Curves (Binary Fields)
AES-128
SHA-256
So, you have to plug in the required parameters.
Jeff
> From: Jeffrey Walton <noloa...@gmail.com>
> To: openssl-users@openssl.org
> Date: 01/10/2013 04:01 PM
> Subject: Re: How to link openssl FIPS 140-2 object module with
openssl
> binary
> Sent by: owner-openssl-us...@openssl.org
>
>
>
> On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <naynj...@in.ibm.com> wrote:
>>
>> Hi,
>>
>> I want to use FIPS compliant algorithms and keys. For that I understand,
> I
>> need to have Openssl FIPS object library along with default openssl.
>>
>> However, I am not understanding how to install them. My questions are :
>>
>> 1. Both are tar.gz. Should I run ./Configure, make and make install for
>> both of them and that is done.
> No.
>
> The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config
> fipscanisterbuild`
>
> The FIPS Capable library uses (openssl-1.0.x/ directory): `./config
> fips <options>`
>
>> If this is the case, how does openssl links
>> with FIPS object module.
> Nothing special is required. You use the FIPS Capable library
> (libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS
> Object Module (fipscanister.o). Its all transparent to the user.
>
>> 2. While compiling or building openssl lib itself I need to link it to
> FIPS
>> object module. If that is the case, where and how do I have to set that
>> linking option while building.
> Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit
> misleading, IIRC). Just link against libcrypto.a, and act like
> fipscanister.o does not exist.
>
>> Please guide.
> As requested: openssl.org/docs/fips/UserGuide-2.0.pdf.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
