FIPS modules

From OpenSSLWiki
Revision as of 14:22, 20 September 2016 by Stevem (talk | contribs) (link to 2.0 module page)

Jump to: navigation, search

There is currently only one extant FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0. This module is revised periodically with platform portability modifications to support additional platforms (general improvements and bugfixes, even security vulnerability mitigations, are not permitted[1]). As of September 2016 the latest module revision is 2.0.13.

The 2.0 module is rather confusingly covered by three very similar validations, the original #1747[2] and the "Alternative Scenario 1A" clone validations #2398 [3] and #2473 [4]. For perverse and inscrutable bureaucratic reasons the #1747 validation cannot be updated and it and #2473 will forever remain at revision 2.0.10. New platforms can be added to #2398 for revision 2.0.10, and new platforms and new revisions can currently be added to the #2398 validation. The choice of validation is a paperwork consideration as all three validations reference the same cryptographic module. Note there are also a number of third party clone validations that also reference exactly the same cryptographic module. Since that module is available under the OpenSSL open source license, any such validation can be cited for satisfying FIPS 140-2 validation requirements. Collectively across all such validations the 2.0 FIPS module has more than two hundred formally tested platforms (known as "Operational Environments" in FIPS-speak). More information about the 2.0 FIPS module can be founf starting at FIPS_module_2.0.

The 2.0 FIPS module is compatible with OpenSSL releases 1.0.1 and 1.0.2, and no others. The extensive internal structural changes for OpenSSL 1.1 preclude the use of the 2.0 FIPS module with that release.

A new validation effort is to develop and validate a new open source based cryptographic module was announced in July 2016[5]. This new module will be usable with OpenSSL release 1.1. It will provisionally be called OpenSSL FIPS Object Module 3.0. Notes and commentary can be found starting at FIPS_module_3.0.