On 07/04/2014 10:44 AM, Dr. Stephen Henson wrote: > On Fri, Jul 04, 2014, Jayalakshmi bhat wrote: > >> Hi All, >> >> We are using OpenSSL 1.0.1c along with OpenSSL FIPS object Module in our >> product. Recently we have added TPM support. TPM chip is not FIPS >> compliant. Hence in FIPS mode none of the SSL applications are working. >> >> I wanted inputs on the following questions. I would be grateful to receive >> any help. >> >> 1. According to FIPS user guide *OpenSSL FIPS 140-2 User Guide : 2.6.2 >> Algorithms Available in FIPS Mode, *with the current TPM chip we cannot >> make the device FIPS complaint. Is my understanding correct? >> > > If the TPM chip is not FIPS compliant then nothing you can do will change > that.
Keep in mind that at Level 1 it isn't "the device" that is FIPS 140-2 validated, but rather the cryptography that it uses (in the form of one or more FIPS 140-2 validated cryptographic "modules"). You meet the USG/DoD procurement requirements for FIPS 140-2 validated crypto when *all* of the crypto your device/product/application uses is FIPS 140-2 validated. As a *practical* matter you may gain some advantage with *some* USG/DoD customers if only *some* of the crypto used by your device/product/application is validated, but you aren't truly in compliance with those procurement requirements and don't want to represent yourself as such. Note that this partial use of validated crypto does appear to be rather common, albeit improper. For instance, any vendor who ships a turnkey product based on Linux or Android is probably not using FIPS 140-2 validated crypto exclusively as there are (at present) no open source based validated implementations of kernel crypto as used by the kernel itself and by protocols like IPsec. So you really need to let your marketing and senior management folks make the call. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org