How to link openssl FIPS 140-2 object module with openssl binary

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

How to link openssl FIPS 140-2 object module with openssl binary

Nayna Jain

Hi,

I want to use FIPS compliant algorithms and keys. For that I understand, I
need to have Openssl FIPS object library along with default openssl.

However, I am not understanding how to install them. My questions are :

1. Both are tar.gz. Should I run ./Configure, make and make install for
both of them and that is done. If this is the case, how does openssl links
with FIPS object module.
2. While compiling or building openssl lib itself I need to link it to FIPS
object module. If that is the case, where and how do I have to set that
linking option while building.

Please guide.

Thanks & Regards,
        - Nayna


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to link openssl FIPS 140-2 object module with openssl binary

Jeffrey Walton-3
On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <[hidden email]> wrote:

>
> Hi,
>
> I want to use FIPS compliant algorithms and keys. For that I understand, I
> need to have Openssl FIPS object library along with default openssl.
>
> However, I am not understanding how to install them. My questions are :
>
> 1. Both are tar.gz. Should I run ./Configure, make and make install for
> both of them and that is done.
No.

The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config
fipscanisterbuild`

The FIPS Capable library uses (openssl-1.0.x/ directory): `./config
fips <options>`

> If this is the case, how does openssl links
> with FIPS object module.
Nothing special is required. You use the FIPS Capable library
(libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS
Object Module (fipscanister.o). Its all transparent to the user.

> 2. While compiling or building openssl lib itself I need to link it to FIPS
> object module. If that is the case, where and how do I have to set that
> linking option while building.
Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit
misleading, IIRC). Just link against libcrypto.a, and act like
fipscanister.o does not exist.

> Please guide.
As requested: openssl.org/docs/fips/UserGuide-2.0.pdf.

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to link openssl FIPS 140-2 object module with openssl binary

Nayna Jain
Thanks Jeffrey for the quick response.

I have one more question.

Actually there is also NIST Recommendations document i.e. NIST SP 800-131
A.

To satisfy the requirements for NIST SP 800-131 A ,

1.  Do we need to use FIPS Object library module ?
2. Do we just need to make sure that we use correct algos /keys from
standard openssl lib ( without FIPS lib) to satisfy NIST SP 800-131 A
requirements ?

Thanks & Regards,
Nayna Jain



From: Jeffrey Walton <[hidden email]>
To: [hidden email]
Date: 01/10/2013 04:01 PM
Subject: Re: How to link openssl FIPS 140-2 object module with openssl
            binary
Sent by: [hidden email]



On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <[hidden email]> wrote:
>
> Hi,
>
> I want to use FIPS compliant algorithms and keys. For that I understand,
I
> need to have Openssl FIPS object library along with default openssl.
>
> However, I am not understanding how to install them. My questions are :
>
> 1. Both are tar.gz. Should I run ./Configure, make and make install for
> both of them and that is done.
No.

The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config
fipscanisterbuild`

The FIPS Capable library uses (openssl-1.0.x/ directory): `./config
fips <options>`

> If this is the case, how does openssl links
> with FIPS object module.
Nothing special is required. You use the FIPS Capable library
(libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS
Object Module (fipscanister.o). Its all transparent to the user.

> 2. While compiling or building openssl lib itself I need to link it to
FIPS
> object module. If that is the case, where and how do I have to set that
> linking option while building.
Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit
misleading, IIRC). Just link against libcrypto.a, and act like
fipscanister.o does not exist.

> Please guide.
As requested: openssl.org/docs/fips/UserGuide-2.0.pdf.

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to link openssl FIPS 140-2 object module with openssl binary

Jeffrey Walton-3
On Thu, Jan 10, 2013 at 11:04 AM, Nayna Jain <[hidden email]> wrote:

> Thanks Jeffrey for the quick response.
>
> I have one more question.
>
> Actually there is also NIST Recommendations document i.e. NIST SP 800-131
> A.
>
> To satisfy the requirements for NIST SP 800-131 A ,
>
> 1.  Do we need to use FIPS Object library module ?
If you are doing business in the Federal arena, you must use validated
cryptography. OpenSSL is one way to get validated cryptography in your
product.

Others include Mocana, Certicom, RSA Data Security, etc. Expect to pay
$20,000 or $30,000 US or so to set the account up, before a single
license is issued ($25,000 was the quote I got a few years ago).

> 2. Do we just need to make sure that we use correct algos /keys from
> standard openssl lib ( without FIPS lib) to satisfy NIST SP 800-131 A
> requirements ?
NIST SP 800-131 speaks to security levels.

Security levels for new Federal systems must offer 112-bits of
security or higher.

You can use a lesser security level to interoperate with existing
systems - such as 80-bits (2-key TDEA, SHA1) - but they are being
phased out.

Below are the algorithms and/or key sizes to achieve the 112-bit
security level. Note: MD5 is tolerated, but only as a PRF in TLS 1.0
and TLS 1.1 (it cannot 'stand alone', or as a digest or hmac in a
negotiated cipher):

  2048 Diffie-Hellman
  2048 RSA
  224-bit Elliptic Curves (Prime Fields)
  233-bit Elliptic Curves (Binary Fields)
  3-key TDEA (3-key Triple DES)
  SHA-224

Related: Suite B algorithms require 128 bits of security. Below are
the algorithms and/or key sizes that offer the security level. Note:
MD5 is completely banned since TLS 1.2 is required:

  3072 Diffie-Hellman
  3072 RSA
  256-bit Elliptic Curves (Prime Fields)
  283-bit Elliptic Curves (Binary Fields)
  AES-128
  SHA-256

So, you have to plug in the required parameters.

Jeff

> From:   Jeffrey Walton <[hidden email]>
> To:     [hidden email]
> Date:   01/10/2013 04:01 PM
> Subject:        Re: How to link openssl FIPS 140-2 object module with openssl
>             binary
> Sent by:        [hidden email]
>
>
>
> On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <[hidden email]> wrote:
>>
>> Hi,
>>
>> I want to use FIPS compliant algorithms and keys. For that I understand,
> I
>> need to have Openssl FIPS object library along with default openssl.
>>
>> However, I am not understanding how to install them. My questions are :
>>
>> 1. Both are tar.gz. Should I run ./Configure, make and make install for
>> both of them and that is done.
> No.
>
> The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config
> fipscanisterbuild`
>
> The FIPS Capable library uses (openssl-1.0.x/ directory): `./config
> fips <options>`
>
>> If this is the case, how does openssl links
>> with FIPS object module.
> Nothing special is required. You use the FIPS Capable library
> (libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS
> Object Module (fipscanister.o). Its all transparent to the user.
>
>> 2. While compiling or building openssl lib itself I need to link it to
> FIPS
>> object module. If that is the case, where and how do I have to set that
>> linking option while building.
> Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit
> misleading, IIRC). Just link against libcrypto.a, and act like
> fipscanister.o does not exist.
>
>> Please guide.
> As requested: openssl.org/docs/fips/UserGuide-2.0.pdf.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: How to link openssl FIPS 140-2 object module with openssl binary

Nayna Jain
Hi Jeffrey,

Thanks for clarification.

I have one question in this. What did you mean by Suite B Algorithms ?

Secondly, the ciphers which you mentioned are available in Standard openssl
package, or for that we need to have FIPS 140-2 module linked ?

Thanks & Regards,
Nayna Jain
Nexus Tools Development
Bangalore, India
Contact : 402-56859



From: Jeffrey Walton <[hidden email]>
To: [hidden email]
Date: 01/10/2013 10:08 PM
Subject: Re: How to link openssl FIPS 140-2 object module with openssl
            binary
Sent by: [hidden email]



On Thu, Jan 10, 2013 at 11:04 AM, Nayna Jain <[hidden email]> wrote:

> Thanks Jeffrey for the quick response.
>
> I have one more question.
>
> Actually there is also NIST Recommendations document i.e. NIST SP 800-131
> A.
>
> To satisfy the requirements for NIST SP 800-131 A ,
>
> 1.  Do we need to use FIPS Object library module ?
If you are doing business in the Federal arena, you must use validated
cryptography. OpenSSL is one way to get validated cryptography in your
product.

Others include Mocana, Certicom, RSA Data Security, etc. Expect to pay
$20,000 or $30,000 US or so to set the account up, before a single
license is issued ($25,000 was the quote I got a few years ago).

> 2. Do we just need to make sure that we use correct algos /keys from
> standard openssl lib ( without FIPS lib) to satisfy NIST SP 800-131 A
> requirements ?
NIST SP 800-131 speaks to security levels.

Security levels for new Federal systems must offer 112-bits of
security or higher.

You can use a lesser security level to interoperate with existing
systems - such as 80-bits (2-key TDEA, SHA1) - but they are being
phased out.

Below are the algorithms and/or key sizes to achieve the 112-bit
security level. Note: MD5 is tolerated, but only as a PRF in TLS 1.0
and TLS 1.1 (it cannot 'stand alone', or as a digest or hmac in a
negotiated cipher):

  2048 Diffie-Hellman
  2048 RSA
  224-bit Elliptic Curves (Prime Fields)
  233-bit Elliptic Curves (Binary Fields)
  3-key TDEA (3-key Triple DES)
  SHA-224

Related: Suite B algorithms require 128 bits of security. Below are
the algorithms and/or key sizes that offer the security level. Note:
MD5 is completely banned since TLS 1.2 is required:

  3072 Diffie-Hellman
  3072 RSA
  256-bit Elliptic Curves (Prime Fields)
  283-bit Elliptic Curves (Binary Fields)
  AES-128
  SHA-256

So, you have to plug in the required parameters.

Jeff

> From:   Jeffrey Walton <[hidden email]>
> To:     [hidden email]
> Date:   01/10/2013 04:01 PM
> Subject:        Re: How to link openssl FIPS 140-2 object module with
openssl

>             binary
> Sent by:        [hidden email]
>
>
>
> On Thu, Jan 10, 2013 at 3:07 AM, Nayna Jain <[hidden email]> wrote:
>>
>> Hi,
>>
>> I want to use FIPS compliant algorithms and keys. For that I understand,
> I
>> need to have Openssl FIPS object library along with default openssl.
>>
>> However, I am not understanding how to install them. My questions are :
>>
>> 1. Both are tar.gz. Should I run ./Configure, make and make install for
>> both of them and that is done.
> No.
>
> The FIPS Object Module (openssl-fips-2.0.N/ directory) uses: `./config
> fipscanisterbuild`
>
> The FIPS Capable library uses (openssl-1.0.x/ directory): `./config
> fips <options>`
>
>> If this is the case, how does openssl links
>> with FIPS object module.
> Nothing special is required. You use the FIPS Capable library
> (libcrypto.a and libssl.a), the FIPS Capable library uses the FIPS
> Object Module (fipscanister.o). Its all transparent to the user.
>
>> 2. While compiling or building openssl lib itself I need to link it to
> FIPS
>> object module. If that is the case, where and how do I have to set that
>> linking option while building.
> Nothing special is required (Chapter 2 of the User Guide 2.0 is a bit
> misleading, IIRC). Just link against libcrypto.a, and act like
> fipscanister.o does not exist.
>
>> Please guide.
> As requested: openssl.org/docs/fips/UserGuide-2.0.pdf.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: How to link openssl FIPS 140-2 object module with openssl binary

Salz, Rich
> I have one question in this. What did you mean by Suite B Algorithms ?

Google "crypto suite b"  Or heck, even just "suite b"

        /r$

--  
Principal Security Engineer
Akamai Technology
Cambridge, MA

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]