Difference between revisions of "FIPS modules"

From OpenSSLWiki
Jump to navigationJump to search
m (link to 2.0 module page)
(Update status of 2.0 and 3.0 modules)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
There is currently only one extant FIPS 140-2 validated cryptographic module, the ''OpenSSL FIPS Object Module 2.0''. This module is revised periodically with platform portability modifications to support additional platforms (general improvements and bugfixes, even security vulnerability mitigations, are not permitted[http://veridicalsystems.com/blog/immutability-of-fips/]). As of September 2016 the latest module revision is 2.0.13.
+
There is currently only one extant FIPS 140-2 validated cryptographic module, the ''OpenSSL FIPS Object Module 2.0''. This module is no longer being updated. As of May 2017 the latest module revision is 2.0.16.
  
The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747] and the "Alternative Scenario 1A" clone validations #2398 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398] and #2473 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2473]. For perverse and inscrutable bureaucratic reasons the #1747 validation cannot be updated and it and #2473 will forever remain at revision 2.0.10. New platforms can be added to #2398 for revision 2.0.10, and new platforms and new revisions can currently be added to the #2398 validation. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak).  More information about the 2.0 FIPS module can be founf starting at [[FIPS_module_2.0]].
+
The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#1747] and the "Alternative Scenario 1A" clone validations #2398 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2398] and #2473 [http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#2473]. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak).  More information about the 2.0 FIPS module can be found starting at [[FIPS_module_2.0]].
  
 
The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.
 
The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.
  
A new validation effort is to develop and validate a new open source based cryptographic module was announced in July 2016[https://www.openssl.org/blog/blog/2016/07/20/fips/]. This new module will be usable with OpenSSL release 1.1. It will provisionally be called ''OpenSSL FIPS Object Module 3.0''.  Notes and commentary can be found starting at [[FIPS_module_3.0]].
+
A new validation effort to develop and validate a new open source based cryptographic module was announced in July 2016[https://www.openssl.org/blog/blog/2016/07/20/fips/].  
 +
This new module will be usable with OpenSSL 3.0 currently under development. The module will not work with OpenSSL 1.1.1 or OpenSSL 1.1.0. It will be called ''OpenSSL FIPS Object Module 3.0''.  Notes and commentary can be found starting at [[FIPS_module_3.0]]. The architecture and design documents can be found at [https://www.openssl.org/docs/OpenSSLStrategicArchitecture.html] and [https://www.openssl.org/docs/OpenSSL300Design.html]

Latest revision as of 10:03, 31 May 2019

There is currently only one extant FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0. This module is no longer being updated. As of May 2017 the latest module revision is 2.0.16.

The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[1] and the "Alternative Scenario 1A" clone validations #2398 [2] and #2473 [3]. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak). More information about the 2.0 FIPS module can be found starting at FIPS_module_2.0.

The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.

A new validation effort to develop and validate a new open source based cryptographic module was announced in July 2016[4]. This new module will be usable with OpenSSL 3.0 currently under development. The module will not work with OpenSSL 1.1.1 or OpenSSL 1.1.0. It will be called OpenSSL FIPS Object Module 3.0. Notes and commentary can be found starting at FIPS_module_3.0. The architecture and design documents can be found at [5] and [6]