Re: [openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

2016-08-23 Thread Imran Ali 
Thanks Steve,

I cannot find any certificate that can use 2.0.12 under Windows Operating 
System which suggests to me that we will have to revert back to 2.0.10 which is 
listed under #1747 and use G.5 (user affirmation) to leverage new platforms.

Is there no plans to include Windows platforms for 2.0.12 and newer version?

Regards,
Imran

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Steve Marquess
Sent: 19 August 2016 14:31
To: openssl-users@openssl.org
Subject: Re: [openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

On 08/19/2016 07:20 AM, Imran Ali wrote:
> Hi Guys,
> 
>  
> 
> I need some help. I am looking for some evidence which I can provide 
> to my auditor for FOM 2.0.12 is FIPS-140 compliance when compiled and 
> used in Windows environment. When I look at the NIST web site under
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#17
> 47
> I cannot see 2.0.12 version.
> 
>  
> 
> Is there something I am missing?

Yes, it's rather confusing.

The one and only OpenSSL FIPS module ("OpenSSL FIPS Object Module 2.0") is -- 
for perverse bureaucratic reasons[*] -- covered by three separate[**] FIPS-140 
validations:

  #1747 (revisions 2.0, 2.0.1, ..., 2.0.10)
  #2389 (revisions 2.0.9, ..., 2.0.13)
  #2473 (revisions 2.0.9, 2.0.10)

As always the latest revision (for a given validation) subsumes all tested 
platforms listed for that validation. So for instance, 2.0.13 can be used for 
all 33 platforms currently listed for validation #2398.
There are about 200 distinct platforms now across all validations.

So you need to look at the listed platforms for all validations[**], and find 
which of them cover your platform (possibly more than one). Then use the latest 
revision of the module for that validation.

If you only find your platform(s) of interest on a validation ending at 
revision 2.0.10 (#1747, #2473), then you're forced to use revision
2.0.10 even though 2.0.13 (and future revisions) are completely backward 
compatible. From a technical perspective 2.0.N is completely functionally 
equivalent to all previous revisions < N, but down in the
FIPS-140 rabbit hole you're limited to the latest revision for the relevant 
validation(s)[***].

The easy way to remember it is "one real-world module, multiple FIPS-land 
validations". Or as one of my colleagues would put it, "...multiple flavors of 
FIPS-140 magical pixie dust". The choice of validation certificate number is a 
paper-chase exercise.

-Steve M.

[*] Obscenely perverse, I'm not even going to try and explain it. In fact IMHO 
no rational explanation is possible.

[**] Technically speaking more than three; validations #2391, #2422, #2454, 
#2575, #2631, #2676, and possibly others are "copycat" clones done by third 
parties that introduce yet more platforms. Since these validations are for the 
same OpenSSL FIPS module they are also accessible to all under the OpenSSL 
license.

[***] OTOH note the later revisions aren't "better" than the earlier ones in 
any meaningful sense, as we're not allowed to do feature enhancements or 
bug-fixes (not even vulnerability mitigations). With most software it's prudent 
to always use the latest revision to pick up bugfixes and refinements; for the 
FIPS module it doesn't matter.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL FOM 2.0.12 - Windows Compliance

2016-08-19 Thread Imran Ali 
Hi Guys,

I need some help. I am looking for some evidence which I can provide to my 
auditor for FOM 2.0.12 is FIPS-140 compliance when compiled and used in Windows 
environment. When I look at the NIST web site under 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747 I 
cannot see 2.0.12 version.

Is there something I am missing?


Regards,

Imran Ali

Engineering Product Lead

[cid:image001.gif@01CE15D3.C9808950]

t: +44 (0) 118 943 0485

m: +44 (0) 780 113 7865

w: www.enghouseinteractive.com<http://www.enghouseinteractive.com/>

e: imran@enghouse.com<mailto:imran@enghouse.com>

[cid:image002.gif@01CE15D3.C9808950]
Enghouse Interactive (UK) Ltd is a company registered in England and Wales. 
Registered number: 04230977. Registered office: Imperium, Imperial Way, 
Reading, Berkshire, RG2 0TD.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali 
I might be asking asking a very basic question so do apologies upfront but I 
need to have  a clear understanding on this.

The platforms mentioned under #1747 and #2473 does not contain the latest 
versions of Operating System e.g. Windows 2012 R2 and Windows 10. Does this 
have any impact on the certification or these libraries can now be used on any 
OS.

Regards,
Imran

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jakob Bohm
Sent: 27 January 2016 15:54
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS Certification

On 27/01/2016 16:24, Imran Ali wrote:
>
> All,
>
> Looking at the website
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
>
> There is a new date of 01/25/2016 under Validation against OpenSSL 
> Software Foundation <http://openssl.com/> (2473). Does that mean that 
> we now have a FIPS compliant Open SSL again?**
>
> **
>
According to yesterday's post by Steve Marquess, the platforms listed under 
validation #1747 and
#2473 are OK (for now), but the platforms listed under validation #2398 are 
still at risk unless
#2398 too gets updated before January 31.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com Transformervej 
29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10 This public discussion 
message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali 
All,

Looking at the website 
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

There is a new date of 01/25/2016 under Validation against OpenSSL Software 
Foundation (2473). Does that mean that we now have a FIPS 
compliant Open SSL again?


Regards,
Imran
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS Certification

2016-01-27 Thread Imran Ali 
Thanks Steve - for the explanation. 

We are using these libraries for Windows 2012 R2 which is 6.3 and  certificate 
#1747 mentions Windows 7 which is 6.1. I am hoping based on below that we are 
OK to use it under Windows 2012 R2 

https://msdn.microsoft.com/en-gb/library/windows/desktop/ms724832(v=vs.85).aspx

Regards,
Imran

-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Steve Marquess
Sent: 27 January 2016 16:55
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS Certification

On 01/27/2016 11:34 AM, Imran Ali wrote:
> I might be asking asking a very basic question so do apologies upfront 
> but I need to have  a clear understanding on this.
> 
> The platforms mentioned under #1747 and #2473 does not contain the 
> latest versions of Operating System e.g. Windows 2012 R2 and Windows 
> 10. Does this have any impact on the certification or these libraries 
> can now be used on any OS.

That's actually a rather tricky question.

First off, the one OpenSSL FIPS module (for a significant overlap of
revisions) is covered by three validations; #1747, #2398, and #2473. The set of 
formally tested platforms (Operational Environments or "OEs") for that module 
is the union of the platforms listed for each of those three validations.

Roughly speaking, your platform of interest matches one of those "OEs" if:

1) The OS name matches to the first two "dot-rev" levels of the revision 
number. For instance, "AcmeOS 1.2", "AcmeOS 1.2.3", "AcmeOS 1.2.3.4" are all 
the same OS.

2) ...and the virtualization environment (ESXi, Hyper-V, Xenserver, etc.), if 
any, matches to two dot-rev levels.

3) ...and the "processor architecture" is the same. Roughly speaking, that 
means the binary FIPS module built for the specific OE processor runs as-is on 
our platform, with the same "code path". So for instance all x86 processors 
without AES-NI are equivalent to one another, as are all x86 processors with 
AES-NI.  Ditto ARMv7 with/without NEON.

Lacking such a direct match, you still have "user affirmation" per FIPS
140-2 scripture (section G.5 of the Implementation Guidance document).
That basically says that you as a vendor can "affirm" the use of the FIPS 
module on your platform of interest assuming you can build it per the mandated 
process (which in particular means *no* source code tweaks).

As with everything FIPS 140-2, there are no "bright line" rules here.
My usual advice is that you ask your customers what their expectations are. 
Some customers don't like user affirmation, and some (in DoD for
instance) impose additional requirements. On the other hand, some customers are 
fine with liberal use of user affirmation.

As a last resort, if you determine that an important customer requires a 
specific "OE" match (or if source code tweaks are necessary), you can fund 
addition of your platform(s) of interest to one of the validations.
That is how the list of formally tested platforms has over time grown to more 
than 120 "OEs", more than any other validated module.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL FIPS Object Module v2.0

2016-01-20 Thread Imran Ali 
Hi Steve,

Is there any update on the submissions for the OpenSSL FIPS Object Module v2.0, 
validation(s) #1747/#2398/#2474

Regards,
Imran
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 X9.31 RNG transition expenses

2015-12-22 Thread Imran Ali 
Thanks Steve,

I was more concerned on the news that openssl may not be FIPS compliant because 
of:

'sunsetting' older FIPS validations  and the reasoning behind the change has to 
do with the Random Number Generators (RNG). As of December 31, 2015, ANSI X9.31 
and X9.62 RNG's will no longer be allowed for use in FIPS mode, leaving us the 
Random Bit Generators (RBG) of NIST SP 800-90

My understanding based on this is that any applications using ANSI X9.31 and 
X9.62 functions under FIPS mode will no longer be compliant however the whole 
openssl will still be FIPS compliant but need paper-shuffle to mark these 
changes. Am I correct with my assumption on this?

Regards,
Imran 


-Original Message-
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Steve Marquess
Sent: 22 December 2015 13:08
To: openssl-users@openssl.org
Subject: Re: [openssl-users] FIPS 140-2 X9.31 RNG transition expenses

On 12/21/2015 09:32 PM, Salz, Rich wrote:
> 
>> Just want to confirm on this item. Are we saying that to get openssl 
>> back to be FIPS compliance is just a paper shuffle. If so is there 
>> any expected eta on it as our team is using openssl version for a 
>> security project and we need a fips compliance library.
> 
> No.
> 
> We have answered this many times, but perhaps the messages were too 
> long and confusing.

Yes indeed (mea culpa). It's such a mess I don't know how to address it 
succinctly. Part of the problem is that there are multiple intertwined issues.

I think the term "paper shuffle" in this context refers to the "X9.31 RNG 
transition" issue which is (hopefully) a one shot aberration, one pothole in 
the vast wasteland of FIPS 140-2 validations. That is
(mostly) addressed, in that a benefactor has come forward (Datagravity,
Inc.) to pay the test lab fees necessary for filing the necessary paperwork. 
That has been done and now we are just waiting on the usual slow bureaucratic 
process. I'll make an announcement when that paper shuffle is complete.

> 
> We are not doing any work on adding new platforms at this time.  If 
> you cannot use one of the existing platforms, then there is no FIPS 
> support available "for free."

No "freebies". However, we are continuing to perform *sponsored* (some one pays 
for it) "change letter" additions of new platforms to the
*existing* OpenSSL FIPS module (validations #1747/#2398/#2473). We will 
continue to do so for as long as such updates are technically and economically 
feasible. Just last week eleven new platforms were added to that module this 
way, and more platforms are pending.

Those aren't free in that some sponsor needs to fund them initially, but once 
done those platforms are available to everyone. That is the collaborative 
process by which the OpenSSL FIPS module has grown to support some 120 
platforms, more by far than for any other FIPS 140-2 validated module.

> We are not taking on a new validation with new algorithms, etc., 
> unless we get one or more sponsors who are willing to contribute a 
> significant amount of money, among other things.

Correct ... we are eager to do so but lack the opportunity at present. I remain 
hopeful that we will be able to attempt this at some point.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] FIPS 140-2 X9.31 RNG transition expenses

2015-12-21 Thread Imran Ali 
Hi Steve,

Just want to confirm on this item. Are we saying that to get openssl back to be 
FIPS compliance is just a paper shuffle. If so is there any expected eta on it 
as our team is using openssl version for a security project and we need a fips 
compliance library.


Regards,
Imran

___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users