Re: OpenSSL openssl-fips-2.0.2 and private label
Hi Steve, Thank you very much once again. We have plan for FIPS 140-2 validation at later point of time. For a quick method to become NIST compliance, we wanted to use openssl-fips-2.0.2 along with OpenSSL library. Right now We dont want the full functionality of openssl-fips-2.0.2. We are looking for only certain crypto operations. Hence we are leveraging a partial code from openssl-fips-2.0.2. We had 2 concerns 1. Licensing and usage terms for openssl-fips-2.0.2 were not clear. Now you have cleared this doubt, thank you once again. 2. We were thinking FIPS certification is must for NIST compliance. Looks like they are separate. So I understand from your response, we can use openssl-fips-2.0.2 even if we are not going for FIPS 140-2 certification, but it can be NIST compliance Regards BR On Wed, Dec 12, 2012 at 9:44 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 12/12/2012 10:49 AM, bhagyalekshmi r wrote: Hi Steve, Thank you very much for your time and response. Your reply gave me pretty clear picture. I have one last question. I would like to know is there any license related issue if I dont go for FIPS validation, but still use part of openssl-fips-2.0.2 along with OpenSSL library. In other words, say I am using a specific crypto algorithm from openssl-fips-2.0.2 along with OpenSSL library. Do I need to obtain a change modification letter from OpenSSL or exsting license terms of OpenSSL will hold good? Well, you're dealing with two different concepts here. The FIPS module is available under the same permissive open source license as the rest of OpenSSL: http://openssl.org/source/license.html. That however is entirely separate from the issue of FIPS 140-2 validation. As clearly noted in the Security Policy the source distribution cannot be changed *at all* for validation certificate #1747 to remain applicable. That's what I meant by you touch it, you own it. A minor source code change that does not affect the general functionality or any previously tested platforms (more than 50 now) could possibly be accommodated under the change letter process -- but remember any such changes have to make sense, or at least not impact, the general user community. We can extend and improve the FIPS module that way, but not customize it for specific purposes. Custom modifications to the FIPS module itself will require a new validation. You are free to use the source code, under the terms of the OpenSSL license, for that purpose but there is no avoiding the need for another validation. You can try to wade through that process yourself, or you can hire either OSF or a third party to pursue it for you. Figure on 9-12 months and $50K+ for that effort. Generally speaking you can freely modify OpenSSL and the intact FIPS module remains valid, though note that if you break the parts of OpenSSL designed for interfacing with the FIPS module you'll run into many problems. Any way you look at it you need really compelling reasons to chose that route; you will have not only the initial difficulty and expense of implementing custom modifications, but also the long term burden of supporting those customizations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com
Re: OpenSSL openssl-fips-2.0.2 and private label
On 12/12/2012 09:59 PM, bhagyalekshmi r wrote: Hi Steve, Thank you very much once again. We have plan for FIPS 140-2 validation at later point of time. For a quick method to become NIST compliance, we wanted to use openssl-fips-2.0.2 along with OpenSSL library. Right now We dont want the full functionality of openssl-fips-2.0.2. We are looking for only certain crypto operations. Hence we are leveraging a partial code from openssl-fips-2.0.2. We had 2 concerns 1. Licensing and usage terms for openssl-fips-2.0.2 were not clear. Now you have cleared this doubt, thank you once again. 2. We were thinking FIPS certification is must for NIST compliance. Looks like they are separate. So I understand from your response, we can use openssl-fips-2.0.2 even if we are not going for FIPS 140-2 certification, but it can be NIST compliance What the heck is NIST compliance? Note FIPS 140-2 validation (n.b.: validation not certification) is a U.S. government and DoD procurement requirement (and possibly of the Canadian government as well). The only way you can satisfy that requirement is by using FIPS 140-2 validated cryptography, and that means complying with the terms of the relevant Security Policy. The Security Policy for the #1747 validation clearly says no modifications, period. If you are not using FIPS 140-2 validated cryptography -- and you won't be if you make any modifications to the FIPS module source code distribution -- then there is no point in using the FIPS module. It has no technical advantages over the regular non-FIPS capable OpenSSL, in fact it is inferior in terms of performance and real-world security. So in your case don't use modified FIPS module source code, it buys you absolutely nothing and costs you unnecessary complexity. Just use OpenSSL. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL openssl-fips-2.0.2 and private label
On 12/11/2012 10:09 PM, bhagyalekshmi r wrote: Hi All, I had one question regarding usage of openssl-fips-2.0.2. I want to use openssl-fips-2.0.2 to get NIST compliance for some crypto functionality*.* I don't want to go for FIPS 140-2 certification/validation. I want to use only a part of openssl-fips-2.0.2 module. Can I use some parts of openssl-fips-2.0.2 module along with OpenSSL library to use FIPS 140-2 functionality. Is it mandatory to get a private label if I make any changes to openssl-fips-2.0.2 module or if I want to use part of openssl-fips-2.0.2 module. If you touch it you own it -- make any modifications and you will need to obtain your own FIPS 140-2 Level 1 validation. The Security Policy is pretty clear about that. Note that private label validation is a term for a specific kind of FIPS 140-2 validation, one based on an unmodified or only slightly modified OpenSSL FIPS Object Module 2.0. The private label validations are typically much less expensive that a typical from-scratch validation, because the test lab can refer to materials developed from the earlier open source based validation. Once you make non-trivial modifications you're looking at the more expensive kind of validation. Note the FIPS module proper isn't that big, in time or space (typically 1/2MB and 3 seconds for the POST initialization), so you need a pretty compelling reason to try cutting it down even further. The OpenSSL libcrypto shared library is about 15 times larger and a better place to look for size reduction opportunities. In general it will make more sense to use the FIPS module as-is and reference just the specific functionality you need. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL openssl-fips-2.0.2 and private label
Hi Steve, Thank you very much for your time and response. Your reply gave me pretty clear picture. I have one last question. I would like to know is there any license related issue if I dont go for FIPS validation, but still use part of openssl-fips-2.0.2 along with OpenSSL library. In other words, say I am using a specific crypto algorithm from openssl-fips-2.0.2 along with OpenSSL library. Do I need to obtain a change modification letter from OpenSSL or exsting license terms of OpenSSL will hold good? Thank you very much again. Regards BR On Wed, Dec 12, 2012 at 8:17 PM, Steve Marquess marqu...@opensslfoundation.com wrote: On 12/11/2012 10:09 PM, bhagyalekshmi r wrote: Hi All, I had one question regarding usage of openssl-fips-2.0.2. I want to use openssl-fips-2.0.2 to get NIST compliance for some crypto functionality*.* I don't want to go for FIPS 140-2 certification/validation. I want to use only a part of openssl-fips-2.0.2 module. Can I use some parts of openssl-fips-2.0.2 module along with OpenSSL library to use FIPS 140-2 functionality. Is it mandatory to get a private label if I make any changes to openssl-fips-2.0.2 module or if I want to use part of openssl-fips-2.0.2 module. If you touch it you own it -- make any modifications and you will need to obtain your own FIPS 140-2 Level 1 validation. The Security Policy is pretty clear about that. Note that private label validation is a term for a specific kind of FIPS 140-2 validation, one based on an unmodified or only slightly modified OpenSSL FIPS Object Module 2.0. The private label validations are typically much less expensive that a typical from-scratch validation, because the test lab can refer to materials developed from the earlier open source based validation. Once you make non-trivial modifications you're looking at the more expensive kind of validation. Note the FIPS module proper isn't that big, in time or space (typically 1/2MB and 3 seconds for the POST initialization), so you need a pretty compelling reason to try cutting it down even further. The OpenSSL libcrypto shared library is about 15 times larger and a better place to look for size reduction opportunities. In general it will make more sense to use the FIPS module as-is and reference just the specific functionality you need. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com
Re: OpenSSL openssl-fips-2.0.2 and private label
On 12/12/2012 10:49 AM, bhagyalekshmi r wrote: Hi Steve, Thank you very much for your time and response. Your reply gave me pretty clear picture. I have one last question. I would like to know is there any license related issue if I dont go for FIPS validation, but still use part of openssl-fips-2.0.2 along with OpenSSL library. In other words, say I am using a specific crypto algorithm from openssl-fips-2.0.2 along with OpenSSL library. Do I need to obtain a change modification letter from OpenSSL or exsting license terms of OpenSSL will hold good? Well, you're dealing with two different concepts here. The FIPS module is available under the same permissive open source license as the rest of OpenSSL: http://openssl.org/source/license.html. That however is entirely separate from the issue of FIPS 140-2 validation. As clearly noted in the Security Policy the source distribution cannot be changed *at all* for validation certificate #1747 to remain applicable. That's what I meant by you touch it, you own it. A minor source code change that does not affect the general functionality or any previously tested platforms (more than 50 now) could possibly be accommodated under the change letter process -- but remember any such changes have to make sense, or at least not impact, the general user community. We can extend and improve the FIPS module that way, but not customize it for specific purposes. Custom modifications to the FIPS module itself will require a new validation. You are free to use the source code, under the terms of the OpenSSL license, for that purpose but there is no avoiding the need for another validation. You can try to wade through that process yourself, or you can hire either OSF or a third party to pursue it for you. Figure on 9-12 months and $50K+ for that effort. Generally speaking you can freely modify OpenSSL and the intact FIPS module remains valid, though note that if you break the parts of OpenSSL designed for interfacing with the FIPS module you'll run into many problems. Any way you look at it you need really compelling reasons to chose that route; you will have not only the initial difficulty and expense of implementing custom modifications, but also the long term burden of supporting those customizations. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
OpenSSL openssl-fips-2.0.2 and private label
Hi All, I had one question regarding usage of openssl-fips-2.0.2. I want to use openssl-fips-2.0.2 to get NIST compliance for some crypto functionality*.* I don't want to go for FIPS 140-2 certification/validation. I want to use only a part of openssl-fips-2.0.2 module. Can I use some parts of openssl-fips-2.0.2 module along with OpenSSL library to use FIPS 140-2 functionality. Is it mandatory to get a private label if I make any changes to openssl-fips-2.0.2 module or if I want to use part of openssl-fips-2.0.2 module. Any help is appreciated. Regards BR