Enabling FIPS on an custom embedded system.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabling FIPS on an custom embedded system.

Eric Tremblay

Hi all,

 

I have built the FIPS module into our Platform but I am stuck at the point to enable it.

 

We need FIPS to be enabled « Platform wide » not just for one application.

 

I have read the documentation and search on the web for answer but it seem that I would have 

to modify a package or write a small application just to enable FIPS.

 

Is there another way to enable it on startup of Linux ?  or maybe something in OpenSSH ?

 

I also read about the OPENSSL_Config in the User Guide but I’m not sure if/who and how it is called.

 

I am working with OpenSSL 1.0.2j and FIPS 2.0.9.

 

Thanks

 

Eric


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling FIPS on an custom embedded system.

Steve Marquess-4
On 10/26/2016 04:37 PM, Eric Tremblay wrote:

> Hi all,____
>
> __ __
>
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.____
>
> __ __
>
> We need FIPS to be enabled « Platform wide » not just for one
> application.____
>
> __ __
>
> I have read the documentation and search on the web for answer but it
> seem that I would have ____
>
> to modify a package or write a small application just to enable FIPS.____
>
> __ __
>
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?____
>
> __ __
>
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.____
>
> __ __
>
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
>
> __ __
>
> Thanks____
>
> __ __
>
> Eric
>
>
>


Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that
platform.

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling FIPS on an custom embedded system.

Eric Tremblay
Hi Steve,

Thanks for the quick reply.

That is what I had understand from my reading but wasn't sure.

My next question is about OpenSSH.  There is no official support in OpenSSH for FIPS at the moment right ?

Thanks

Eric



On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess <[hidden email]> wrote:
On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> Hi all,____
>
> __ __
>
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.____
>
> __ __
>
> We need FIPS to be enabled « Platform wide » not just for one
> application.____
>
> __ __
>
> I have read the documentation and search on the web for answer but it
> seem that I would have ____
>
> to modify a package or write a small application just to enable FIPS.____
>
> __ __
>
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?____
>
> __ __
>
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.____
>
> __ __
>
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
>
> __ __
>
> Thanks____
>
> __ __
>
> Eric
>
>
>


Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that
platform.

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
<a href="tel:%2B1%20877%20673%206775" value="+18776736775">+1 877 673 6775 s/b
<a href="tel:%2B1%20301%20874%202571" value="+13018742571">+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling FIPS on an custom embedded system.

Scott Neugroschl-2

No.   You can check with the OpenSSH mailing list, but I’m pretty darned sure the answer is no.

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 

 

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Eric Tremblay
Sent: Wednesday, October 26, 2016 3:06 PM
To: [hidden email]
Subject: Re: [openssl-users] Enabling FIPS on an custom embedded system.

 

Hi Steve,

 

Thanks for the quick reply.

 

That is what I had understand from my reading but wasn't sure.

 

My next question is about OpenSSH.  There is no official support in OpenSSH for FIPS at the moment right ?

 

Thanks

 

Eric

 

 

 

On Wed, Oct 26, 2016 at 5:04 PM, Steve Marquess <[hidden email]> wrote:

On 10/26/2016 04:37 PM, Eric Tremblay wrote:
> Hi all,____
>
> __ __
>
> I have built the FIPS module into our Platform but I am stuck at the
> point to enable it.____
>
> __ __
>
> We need FIPS to be enabled « Platform wide » not just for one
> application.____
>
> __ __
>
> I have read the documentation and search on the web for answer but it
> seem that I would have ____
>
> to modify a package or write a small application just to enable FIPS.____
>
> __ __
>
> Is there another way to enable it on startup of Linux ?  or maybe
> something in OpenSSH ?____
>
> __ __
>
> I also read about the OPENSSL_Config in the User Guide but I’m not sure
> if/who and how it is called.____
>
> __ __
>
> I am working with OpenSSL 1.0.2j and FIPS 2.0.9.____
>
> __ __
>
> Thanks____
>
> __ __
>
> Eric
>
>
>


Hmmm ... where to start.

First there is really no such thing as "enabling FIPS" for a platform.
The FIPS module is executable code that runs in the context of a
process, and to be righteous FIPS-wise each process (that uses
cryptography) must invoke the FIPS_mode_set() call that performs the
mandatory POST (Power Up Self Test). Note that is true even when the
FIPS module is embedded in a shared library (the "FIPS enabled"
OpenSSL), as each process using said shared library maps writable data
into its own private address space.

So to make the sweeping claim that a "platform" is FIPS enabled, you
must make sure that *every* process for that platform enables FIPS mode
via a FIPS_mode_set() call (whether directly or indirectly). Note that
for your typical general purpose (e.g. Windows or Linux-like) operating
system that is an essentially unachievable goal, as not all of the many
crypto-using applications are readily converted to use the FIPS enabled
OpenSSL (for instance OpenSSH needs non-trivial hacks). Likewise
kernel-mode crypto can't be addressed with the OpenSSL FIPS module.

For that reason the wise and prudent vendor does not attempt to "enable
FIPS" for an entire platform (for Level 1 validations), but rather only
makes claims about specific individual applications running on that
platform.

In the case where all processes of interest are compatible with the FIPS
capable OpenSSL (specifically, not referencing any other crypto
implementations, or non-approved cryptographic operations), then
OPENSSL_config() can in principle be used to indirectly call
FIPS_mode_set() for each such application. That is only *after* every
such application/process has *first* been modified for compatibility
with the FIPS capable OpenSSL. Very few applications not already
designed to support the OpenSSL FIPS module will be compatible without
some degree of modification.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
<a href="tel:%2B1%20877%20673%206775">+1 877 673 6775 s/b
<a href="tel:%2B1%20301%20874%202571">+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Enabling FIPS on an custom embedded system.

Steve Marquess-4
In reply to this post by Eric Tremblay
On 10/26/2016 06:06 PM, Eric Tremblay wrote:

> Hi Steve,
>
> Thanks for the quick reply.
>
> That is what I had understand from my reading but wasn't sure.
>
> My next question is about OpenSSH.  There is no official support in
> OpenSSH for FIPS at the moment right ?
>
> Thanks
>
> Eric
>

No, and there never will be; as I understand it the OpenSSH project has
taken the position that FIPS 140 isn't a desirable feature for OpenSSH.
TBH they have a point; from any technical perspective (e.g. security,
performance, maintainability) FIPS support is a negative. Ditto x.509
where the OpenSSH project has implemented a much simpler and more robust
certificate scheme.

You can find a rather old patch at
http://openssl.com/export/openssh/openssh-6.0p1.fips-revised.patch, but
note that OpenSSH has evolved considerably since then.

There is another issue to consider as well. The only sane reason to use
FIPS 140 validated software is for deployment in environments where such
validation is a mandatory policy requirement. The US DoD is the largest
such environment, and there x.509 is also a mandate. Roumen Petrov has
for years maintained patches to add x.509 support to OpenSSH
(http://roumenpetrov.info/openssh/), but hacking OpenSSH for both FIPS
140 and x.509 is not a project for the faint-hearted, and since OpenSSH
is unlikely to ever add either feature officially you're left with a
long maintenance tail.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users