FIPS 140-2 key wrapping transition

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS 140-2 key wrapping transition

Zeke Evans-2

Hi,

 

NIST recently gave notice of Symmetric Key Wrapping Transition, details are found here https://csrc.nist.gov/projects/cryptographic-module-validation-program/notices.  It is not clear to me whether the FIPS 2.0 module is affected by this.  I am mostly curious about this part:

 

All validations on the Active Validation List that implement the previously allowed AES or TDEA key wrapping

  • Entries will be moved to the Historical List. 

 

Can someone verify whether the FIPS 2.0 validation is affected by this?

 

Thanks,

Zeke Evans

Senior Software Engineer

Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS 140-2 key wrapping transition

OpenSSL - User mailing list

The OpenSSL FIPS Validation #1747 is affected by the key wrapping transition and will therefore be moved to Historical at some point.

 

As we’ve said, FIPS will be the focus of our next feature release after 1.1.1 (TLS 1.3).

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS 140-2 key wrapping transition

Zeke Evans-2

I am trying to understand how validation #1747 is affected by the key wrapping transition.  As far as I can tell, the FIPS module does not contain a key wrapping algorithm per se but only provides approved methods that a key wrapping algorithm could use. 

 

Does FIPS 2.0 contain approved methods in order to implement a key wrapping algorithm compliant with SP 800-38f?  Is FIPS_evp_des_ede3_cbc not sufficient?

 

If not, why would the absence of that push validation #1747 to the Historical list?  I am not seeing a claim the key wrapping is covered in validation #1747 or any code inside the module that implements something that is now deprecated.

 

Is it at all possible to implement a compliant key wrapping method in the FIPS capable code using approved methods?  I realize if this was possible it probably would have been done already.  I am just hoping to understand the issues surrounding this.

 

Thanks for your help!

 

Zeke Evans

Senior Software Engineer

Micro Focus

 

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Salz, Rich via openssl-users
Sent: Friday, February 02, 2018 5:26 PM
To: [hidden email]
Subject: Re: [openssl-users] FIPS 140-2 key wrapping transition

 

The OpenSSL FIPS Validation #1747 is affected by the key wrapping transition and will therefore be moved to Historical at some point.

 

As we’ve said, FIPS will be the focus of our next feature release after 1.1.1 (TLS 1.3).

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: FIPS 140-2 key wrapping transition

Mark Minnoch
In reply to this post by Zeke Evans-2
The OpenSSL FOM Cert. #1747 will not be moved to the CMVP Historical List since it does not implement a non-compliant AES key wrapping service in the defined cryptographic boundary.

All of the FIPS modules that implement a non-compliant AES key wrapping service have already been moved to the Historical List.

Mark J. Minnoch
Co-Founder, CISSP, CISA
KeyPair Consulting Inc.
+1 (805) 550-3231 mobile
https://KeyPair.us
https://www.linkedin.com/in/minnoch

We expertly guide technology companies in achieving their FIPS goals





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment