Hey Guys, If FIPS 140-2 compliance is important you might want to look at something like a PKCS#11 wrapper and let your PKCS#11 complaint module be the deciding factor in meeting that compliance level. There are wrappers for most languages. (We have our own python p11 implementation tailored to our Luna HSMs here https://github.com/gemalto/pycryptoki but you should be able to use a more generic project if you choose)
There are other commonly used APIs such as OpenSSL, Java JCA/JCE and MS CAPI/CNG but given that we're talking about python on linux a PKCS #11 approach is probably best. Beyond just "140-2" there are different levels. Pure software implementations are limited to level 1. Level 2, 3, and 4 require hardware and have more strict requirements as you go up the chain. Someone asking for FIPS 140-2 compliance will also generally have a minimum level that they require. I do work for a vendor of hardware security modules and so I have biases towards our solutions but without getting into any of that I do believe if you want to take FIPS into consideration you should stick to a broadly adopted crypto API that allows you to switch out the back end module. Cheers, Mike Gardiner Systems Security Architect Gemalto -----Original Message----- From: Jeremy Stanley [mailto:fu...@yuggoth.org] Sent: November-06-16 11:44 AM To: OpenStack Development Mailing List (not for usage questions) <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote: > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote: [...] > > An orthogonal question I have received from one of our community > > members (Pavo on irc) is whether pycrypto (or if we move to > > cryptography) provide FIPS-140-2 compliance. > > My understanding is that if you need, for example, a FIPS-compliant > AES implementation under the hood, then this is dependent more on what > backend libraries you're using... e.g., > https://www.openssl.org/docs/fips.html > https://www.openssl.org/docs/fipsvalidation.html I should clarify, I was referring specifically to pyca/cryptography's OpenSSL backend. In contrast the pycrypto maintainers seem to have copied and forked a variety of algorithms (some of which seem to be based NIST/FIPS reference implementations for C or backports from bits of Py3K stdlib but have undergone subsequent modification), so very likely have not been put through any sort of direct compliance validation: https://github.com/dlitz/pycrypto/blob/master/src/AES.c https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c et cetera... -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
smime.p7s
Description: S/MIME cryptographic signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev