FIPS mode howto
Hi, I just figured I'd write something up for your perusal, modification, and possible inclusion into the HOWTO list. I'm attaching it as a file; if it doesn't come through, please let me know, and I'll resend it in a message body. If there are any glaring inaccuracies I would very much like to know about them, since I wrote this out of my explorations for figuring out how to use the library myself. ;) Thanks! -Kyle H !DRAFT! -- FIPS-140-2 certification is not yet finalized -- !DRAFT! Using the FIPS-certified mode of OpenSSL There are really three main steps to using the FIPS mode of OpenSSL: 1) Create the library in FIPS-certified mode 2) Call FIPS_mode_set(3) in your application just after initializing the OpenSSL library 3) Link your application against the FIPS-certified OpenSSL library However, as they say, the devil is always in the details. This is one programmer's experience with getting this done. 1) Create the library in FIPS-certified mode ===NOTE: THIS IS A DRAFT DOCUMENT, AND DUPLICATES INFORMATION TO ===BE FOUND IN THE OPENSSL FIPS SECURITY POLICY. IF THERE IS ANY ===DISCREPANCY, THE OPENSSL FIPS SECURITY POLICY IS CORRECT, AND ===THIS DOCUMENT IS WRONG. YOU ARE HEREBY WARNED. This is, really, the toughest part of the procedure. In order to accomplish this, you need version 0.9.7j (or higher in the 0.9.7 series). (If 0.9.7j isn't out by the time you read this, please get the latest 0.9.7 stable snapshot.) To compile it in FIPS-certified mode, the appropriate command to configure it is: ./config fips with no other options that affect what functions go into the library. You ARE allowed to specify -d (for debugging), and --prefix (to specify where it is to be installed); however, if you specify -d, you need to have electric-fence (by Bruce Perens) installed, and you MUST NOT STRIP ANY BINARY YOU CREATE. The explanation for this is described in the Mechanics section of this document. After compiling this (with 'make'), it is advisable to test the compilation (with 'make test'). The test suite used for FIPS mode is much longer than the test suite used for a non-FIPS build, though on a reasonably fast system you won't have time for a coffee break during it. After the tests complete successfully (if they don't, get onto the openssl-users@openssl.org mailing list for assistance -- directions are on the http://openssl.org/ website), type 'make install' and there will be several things installed in $(PREFIX)/openssl/ -- bin/ openssl: The openssl command-line interface c_rehash: A shell script to rehash a CA cert dir fipsld: The tool you need to link your app with the FIPS-certified library include/ openssl/ *: All the include files necessary. Just put the 'include' directory in $INCLUDE or -I, and in your source #include openssl/file.h. lib/ fipscanister.o: pre- and post- library segment isolation for in-memory image verification (see Mechanics section) fipscanister.o.sha1: keyed hmac value for fipscanister.o, needed for verification that it hasn't been munged fips_premain.c: Code that must be compiled and linked to run before the main() procedure in your binary image. This verifies that the library hasn't been tampered with. fips_premain.c.sha1: keyed hmac value for fips_premain.c, verified by fipsld during link time. libcrypto.a: FIPS-certified cryptographic library. libssl.a: SSL library. pkgconfig/ openssl.pc: Description of the package configuration parameters. (Notably, it does NOT mention the library's FIPS build status.) ssl/ certs/: Contains certificates you trust or have issued. man/: man pages (add this to your manpath) misc/ CA.pl: perl version of CA script CA.sh: Bourne shell version of CA script c_hash: Prints the simple hashed filename that a given set of X.509 certs would be placed in. Does not check prior hash values. c_info: Prints basic information (filename, subject, issuer, end date) about a set of X.509 certs, without performing any verification.
Re: FIPS mode howto
On Thu, Feb 16, 2006, Kyle Hamilton wrote: Hi, I just figured I'd write something up for your perusal, modification, and possible inclusion into the HOWTO list. I'm attaching it as a file; if it doesn't come through, please let me know, and I'll resend it in a message body. We will be giving full details about the use of FIPS mode in due course. At present some details are being finalized so we can't give definitive answers about the precise procedure which must be followed. Currently, for example, ONE specific version of OpenSSL would be needed to build fiscanister.o and is is NOT 0.9.7j or later. Since communication between us and the labs is confidential we can't comment on that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS mode howto
Alright. Can you comment on if the source-level API is going to stay the same, at least? (If it's going to stay the same, then giving details on how to link with a version of OpenSSL that provides that API -- even if it's not the FIPS-certified version -- would allow users to get working on apps that need to make use of the API. If it's not, then I won't worry about it. If you can't comment, I'll assume it's not guaranteed static.) -Kyle H On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Feb 16, 2006, Kyle Hamilton wrote: Hi, I just figured I'd write something up for your perusal, modification, and possible inclusion into the HOWTO list. I'm attaching it as a file; if it doesn't come through, please let me know, and I'll resend it in a message body. We will be giving full details about the use of FIPS mode in due course. At present some details are being finalized so we can't give definitive answers about the precise procedure which must be followed. Currently, for example, ONE specific version of OpenSSL would be needed to build fiscanister.o and is is NOT 0.9.7j or later. Since communication between us and the labs is confidential we can't comment on that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS mode howto
On Thu, Feb 16, 2006, Kyle Hamilton wrote: Alright. Can you comment on if the source-level API is going to stay the same, at least? (If it's going to stay the same, then giving details on how to link with a version of OpenSSL that provides that API -- even if it's not the FIPS-certified version -- would allow users to get working on apps that need to make use of the API. If it's not, then I won't worry about it. If you can't comment, I'll assume it's not guaranteed static.) Well with the disclaimer than none of this is set in stone... The API is likely to stay the same. *What* you link to and *how* you do that may change. There are also various other things which an application will need to do to be compliant, it is *not* just a case of successfully entering FIPS mode. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS mode howto
Alright. I'm certainly not suggesting that if you link to a FIPS-certified module, your entire product becomes FIPS-compliant -- as far as I understand, your app still has to go through the same testing procedures, it just doesn't have to go through quite the same crypto validation procedures. (I do tend to read requirements documents myself; I'm trying to design something to sell to the US government, and I'm endeavoring to make it possible.) I do have another question, though: Is the ASN.1/BER/DER library considered to be part of the crypto library, and thus mandatory to use for ease of certification down the road? -Kyle H On 2/16/06, Dr. Stephen Henson [EMAIL PROTECTED] wrote: On Thu, Feb 16, 2006, Kyle Hamilton wrote: Alright. Can you comment on if the source-level API is going to stay the same, at least? (If it's going to stay the same, then giving details on how to link with a version of OpenSSL that provides that API -- even if it's not the FIPS-certified version -- would allow users to get working on apps that need to make use of the API. If it's not, then I won't worry about it. If you can't comment, I'll assume it's not guaranteed static.) Well with the disclaimer than none of this is set in stone... The API is likely to stay the same. *What* you link to and *how* you do that may change. There are also various other things which an application will need to do to be compliant, it is *not* just a case of successfully entering FIPS mode. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Small exponent in RSA public keys
Hi all, After reading a lot on small exponents in RSA public keys, it seems to me that the issue is only if I am not using libraries like OpenSSL for signing, but if I use RSA_Sign or EVP_Sign they implement PKCS#1 and that solves that problem even if I sign the same plain text e times. So if I use OpenSSL there is no reason why to use exponent bigger then 3 unless using specific hardware that might work faster with specific exponents. Is this correct? Joe __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]