FIPS modules - Revision history

Matt: Update status of 2.0 and 3.0 modules

2019-05-31T10:03:27Z

Update status of 2.0 and 3.0 modules

Tjh at 03:54, 31 December 2017

2017-12-31T03:54:42Z

Stevem: link to 2.0 module page

2016-09-20T14:22:52Z

link to 2.0 module page

Stevem: Initial draft

2016-09-19T13:00:10Z

Initial draft

New page

There is currently only one extant FIPS 140-2 validated cryptographic module, the ''OpenSSL FIPS Object Module 2.0''. This module is revised periodically with platform portability modifications to support additional platforms (general improvements and bugfixes, even security vulnerability mitigations, are not permitted[http://veridicalsystems.com/blog/immutability-of-fips/]). As of September 2016 the latest module revision is 2.0.13.

The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747] and the "Alternative Scenario 1A" clone validations #2398 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398] and #2473 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2473]. For perverse and inscrutable bureaucratic reasons the #1747 validation cannot be updated and it and #2473 will forever remain at revision 2.0.10. New platforms can be added to #2398 for revision 2.0.10, and new platforms and new revisions can currently be added to the #2398 validation. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak).

The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.

A new validation effort is to develop and validate a new open source based cryptographic module was announced in July 2016[https://www.openssl.org/blog/blog/2016/07/20/fips/]. This new module will be usable with OpenSSL release 1.1. It will provisionally be called ''OpenSSL FIPS Object Module 3.0''. Notes and commentary can be found starting at [[FIPS_module_3.0]].

@@ Line 1: / Line 1: @@
-There is currently only one extant FIPS 140-2 validated cryptographic module, the ''OpenSSL FIPS Object Module 2.0''. This module is revised periodically with platform portability modifications to support additional platforms (general improvements and bugfixes, even security vulnerability mitigations, are not permitted[http://veridicalsystems.com/blog/immutability-of-fips/]). As of September 2016 the latest module revision is 2.0.13.
+There is currently only one extant FIPS 140-2 validated cryptographic module, the ''OpenSSL FIPS Object Module 2.0''. This module is no longer being updated. As of May 2017 the latest module revision is 2.0.16.
-The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747] and the "Alternative Scenario 1A" clone validations #2398 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398] and #2473 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2473]. For various reasons the #1747 validation cannot be updated and it and #2473 will forever remain at revision 2.0.10. New platforms can be added to #2398 for revision 2.0.10, and new platforms and new revisions can currently be added to the #2398 validation. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak).  More information about the 2.0 FIPS module can be found starting at [[FIPS_module_2.0]].
+The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747] and the "Alternative Scenario 1A" clone validations #2398 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398] and #2473 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2473]. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak).  More information about the 2.0 FIPS module can be found starting at [[FIPS_module_2.0]].
 The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.
-A new validation effort is to develop and validate a new open source based cryptographic module was announced in July 2016[https://www.openssl.org/blog/blog/2016/07/20/fips/].
+A new validation effort to develop and validate a new open source based cryptographic module was announced in July 2016[https://www.openssl.org/blog/blog/2016/07/20/fips/].
-This new module will be usable with OpenSSL release 1.1. It will provisionally be called ''OpenSSL FIPS Object Module 3.0''.  Notes and commentary can be found starting at [[FIPS_module_3.0]].
+This new module will be usable with OpenSSL 3.0 currently under development. The module will not work with OpenSSL 1.1.1 or OpenSSL 1.1.0. It will be called ''OpenSSL FIPS Object Module 3.0''.  Notes and commentary can be found starting at [[FIPS_module_3.0]]. The architecture and design documents can be found at [https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html] and [https://www.openssl.org/docs/OpenSSL300Design.html]