FIPS modules

From OpenSSLWiki
Jump to navigationJump to search

There is currently only one extant FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0. This module is no longer being updated. As of May 2017 the latest module revision is 2.0.16.

The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[1] and the "Alternative Scenario 1A" clone validations #2398 [2] and #2473 [3]. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak). More information about the 2.0 FIPS module can be found starting at FIPS_module_2.0.

The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.

A new validation effort to develop and validate a new open source based cryptographic module was announced in July 2016[4]. This new module will be usable with OpenSSL 3.0 currently under development. The module will not work with OpenSSL 1.1.1 or OpenSSL 1.1.0. It will be called OpenSSL FIPS Object Module 3.0. Notes and commentary can be found starting at FIPS_module_3.0. The architecture and design documents can be found at [5] and [6]