Discussion:
Symmetrical encryption in FIPS mode?
Graham Leggett
2014-10-02 16:49:33 UTC
Permalink
Hi all,

Looking at the headers in the FIPS module of openssl, I see none of the EVP_Encrypt* functions are available. Am I assuming correctly that no symmetrical encryption is possible at all in FIPS mode?

Regards,
Graham


______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Tom Francis
2014-10-02 18:48:49 UTC
Permalink
Your assumption is incorrect. Note that when you use the FIPS module, that you should not attempt to use the FIPS module directly — instead, you build a separate version of OpenSSL that uses the FIPS module (after building the FIPS module). You then link the new libcrypto (and libssl if you need it), and invoke the usual OpenSSL functions. If your application calls FIPS_mode_set() first, then the FIPS module will be used for all crypto routines, while regular OpenSSL stuff is used for non-crypto functionality. If you don’t call FIPS_mode_set() first, then cryptographic routines come from the regular OpenSSL library*, and your application cannot be considered as using any kind of FIPS 140 module.

See the FIPS User’s guide for more info, because FIPS 140 compliance means that some cryptographic algorithms are disabled when in “FIPS mode”. IIRC, there’s also a full list of algorithms that are available in FIPS mode in the User’s guide, and if not, the Security Policy should detail that information.

TOM

* IIRC, there’s a bug when using the 1.x FIPS modules, where all encryption still routes through the FIPS module, even when not in FIPS mode, unless the algorithm is unavailable in the FIPS module. I don’t recall if that problem was fixed for use with the current FIPS module.
Post by Graham Leggett
Hi all,
Looking at the headers in the FIPS module of openssl, I see none of the EVP_Encrypt* functions are available. Am I assuming correctly that no symmetrical encryption is possible at all in FIPS mode?
Regards,
Graham

______________________________________________________________________
OpenSSL Project http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org
Loading...