Re: OpenSSL 3.0 FIPS module configuration file
On Tue, 15 Feb 2022 at 09:53, Tomas Mraz wrote: > Please note that there are two checksums in the configuration file. One > of them is the FIPS module checksum and the other is the checksum of > the configuration. You can copy the file across machines if it is > without the configuration checksum - that means the selftest will be > always run when the FIPS module (i.e., the fips provider) is loaded. > Thanks for the info! I was wondering whether there was a FIPS-compliant way to use fips.dll on a machine without first having to run 'openssl fipsinstall' on that machine, and this seems to be it. Richard
Re: OpenSSL 3.0 FIPS module configuration file
Please note that there are two checksums in the configuration file. One of them is the FIPS module checksum and the other is the checksum of the configuration. You can copy the file across machines if it is without the configuration checksum - that means the selftest will be always run when the FIPS module (i.e., the fips provider) is loaded. You cannot copy the file if the configuration checksum is present in it though because that means the selftest won't be run on the machines where you copy the configuration file to. That would be against the FIPS implementation guidance that requires to run the selftests at least once after the installation. Tomas On Tue, 2022-02-15 at 10:31 +1100, Dr Paul Dale wrote: > Yes, this has to do with the FIPS standards. I forget which > standard > it is but the self tests are mandated to be run on each device > independently. > > The fipsinstall process runs the self tests before generating the > configuration file. If the self tests fail, the module doesn't > install. Copying the configuration file across avoids the self tests > and therefore isn't compliant. > > > Pauli > > > On 15/2/22 02:25, Richard Dymond wrote: > > > > > Hi > > > > Probably a dumb question, but why must the FIPS module > > configuration file for OpenSSL 3.0 be generated on every machine > > that it is to be used on (i.e. must not be copied from one machine > > to another)? > > > > I just ran 'openssl fipsinstall' on two different machines with the > > same FIPS module and it produced exactly the same output each time, > > so presumably the reason has nothing to do with the config file > > being unique to the machine. > > > > Does it have something to do with the FIPS standard itself? > > > > Richard > > -- Tomáš Mráz, OpenSSL
Re: OpenSSL 3.0 FIPS module configuration file
There is nothing stopping cheating. If you are going to cheat, why bother with FIPS at all? Just claim you're FIPS. Pauli On 15/2/22 10:49, Ma Ar wrote: Maybe a dumb question too, considering that i am admittedly just getting into this field, but I though maybe if I ask I might learn something...is there any method of assurance that the test were then run on the machine they are installed on? If whatever those tests are attesting to to certify compliance can be falsified by copying over 1 file, what would even be to purpose of those tests? Or are simply dependency checks? Thanks for all the effort it must take in answering all these questions every day. On 2/14/2022 5:31 PM, Dr Paul Dale wrote: Yes, this has to do with the FIPS standards. I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file. If the self tests fail, the module doesn't install. Copying the configuration file across avoids the self tests and therefore isn't compliant. Pauli On 15/2/22 02:25, Richard Dymond wrote: Hi Probably a dumb question, but why must the FIPS module configuration file for OpenSSL 3.0 be generated on every machine that it is to be used on (i.e. must not be copied from one machine to another)? I just ran 'openssl fipsinstall' on two different machines with the same FIPS module and it produced exactly the same output each time, so presumably the reason has nothing to do with the config file being unique to the machine. Does it have something to do with the FIPS standard itself? Richard
Re: OpenSSL 3.0 FIPS module configuration file
Tom, thanks for looking this up. I believe that this particular piece of guidance was removed in 140-3. Pauli On 15/2/22 10:57, Thomas Dwyer III wrote: I believe the relevant standard is described in the Implementation Guidance for FIPS 140-2: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf (see IG 9.11 beginning on page 179). I searched briefly for similar text in FIPS 140-3 IG but didn't see anything relevant. Tom.III On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale wrote: Yes, this has to do with the FIPS standards. I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file. If the self tests fail, the module doesn't install. Copying the configuration file across avoids the self tests and therefore isn't compliant. Pauli On 15/2/22 02:25, Richard Dymond wrote: Hi Probably a dumb question, but why must the FIPS module configuration file for OpenSSL 3.0 be generated on every machine that it is to be used on (i.e. must not be copied from one machine to another)? I just ran 'openssl fipsinstall' on two different machines with the same FIPS module and it produced exactly the same output each time, so presumably the reason has nothing to do with the config file being unique to the machine. Does it have something to do with the FIPS standard itself? Richard
Re: OpenSSL 3.0 FIPS module configuration file
I believe the relevant standard is described in the Implementation Guidance for FIPS 140-2: https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf (see IG 9.11 beginning on page 179). I searched briefly for similar text in FIPS 140-3 IG but didn't see anything relevant. Tom.III On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale wrote: > Yes, this has to do with the FIPS standards. I forget which standard it > is but the self tests are mandated to be run on each device independently. > > The fipsinstall process runs the self tests before generating the > configuration file. If the self tests fail, the module doesn't install. > Copying the configuration file across avoids the self tests and therefore > isn't compliant. > > > Pauli > > > On 15/2/22 02:25, Richard Dymond wrote: > > Hi > > Probably a dumb question, but why must the FIPS module configuration file > for OpenSSL 3.0 be generated on every machine that it is to be used on > (i.e. must not be copied from one machine to another)? > > I just ran 'openssl fipsinstall' on two different machines with the same > FIPS module and it produced exactly the same output each time, so > presumably the reason has nothing to do with the config file being unique > to the machine. > > Does it have something to do with the FIPS standard itself? > > Richard > > >
Re: OpenSSL 3.0 FIPS module configuration file
Maybe a dumb question too, considering that i am admittedly just getting into this field, but I though maybe if I ask I might learn something...is there any method of assurance that the test were then run on the machine they are installed on? If whatever those tests are attesting to to certify compliance can be falsified by copying over 1 file, what would even be to purpose of those tests? Or are simply dependency checks? Thanks for all the effort it must take in answering all these questions every day. On 2/14/2022 5:31 PM, Dr Paul Dale wrote: Yes, this has to do with the FIPS standards. I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file. If the self tests fail, the module doesn't install. Copying the configuration file across avoids the self tests and therefore isn't compliant. Pauli On 15/2/22 02:25, Richard Dymond wrote: Hi Probably a dumb question, but why must the FIPS module configuration file for OpenSSL 3.0 be generated on every machine that it is to be used on (i.e. must not be copied from one machine to another)? I just ran 'openssl fipsinstall' on two different machines with the same FIPS module and it produced exactly the same output each time, so presumably the reason has nothing to do with the config file being unique to the machine. Does it have something to do with the FIPS standard itself? Richard
Re: OpenSSL 3.0 FIPS module configuration file
Yes, this has to do with the FIPS standards. I forget which standard it is but the self tests are mandated to be run on each device independently. The fipsinstall process runs the self tests before generating the configuration file. If the self tests fail, the module doesn't install. Copying the configuration file across avoids the self tests and therefore isn't compliant. Pauli On 15/2/22 02:25, Richard Dymond wrote: Hi Probably a dumb question, but why must the FIPS module configuration file for OpenSSL 3.0 be generated on every machine that it is to be used on (i.e. must not be copied from one machine to another)? I just ran 'openssl fipsinstall' on two different machines with the same FIPS module and it produced exactly the same output each time, so presumably the reason has nothing to do with the config file being unique to the machine. Does it have something to do with the FIPS standard itself? Richard