[openssl-users] FIPS 140-2 on iOS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-users] FIPS 140-2 on iOS

Sec_Aficiondado
Hi there,

Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications.

Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries?

Thanks!

Sent from my mobile
I may have missed some "autocorrections"
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] FIPS 140-2 on iOS

Quentin Gouchet

Hi,

I believe you can make an app that is FIPS compliant: since OpenSSL can be made FIPS compliant on a non-validated OS, why not an app on iOS? But it will be FIPS compliant, not FIPS validated app.


Le mar. 28 avr. 2015 21:45, Sec_Aficionado <[hidden email]> a écrit :
Hi there,

Total n00b question here. I recently ran across a question on an iOS forum where someone was building an app with FIPS 140-2 compliant communications.

Now, from reading here (mailing lists) about FIPS certification, it involves both the bits and the platform. So it would not be possible to create an app that is compliant on a platform that hasn't been certified. Is that a correct assumption? Or can I build a compliant app with just certified libraries?

Thanks!

Sent from my mobile
I may have missed some "autocorrections"
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] FIPS 140-2 on iOS

Steve Marquess-4
In reply to this post by Sec_Aficiondado
On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
> Hi there,
>
> Total n00b question here. I recently ran across a question on an iOS
> forum where someone was building an app with FIPS 140-2 compliant
> communications.

Note there really is no such thing as "FIPS 140-2 compliant" (though you
see that terms bandied around a lot and I'm guilty of doing so myself).

The term of interest is "FISP 140-2 validated" (n.b.: that's "validated"
not "certified").

> Now, from reading here (mailing lists) about FIPS certification, it
> involves both the bits and the platform. So it would not be possible
> to create an app that is compliant on a platform that hasn't been
> certified. Is that a correct assumption? Or can I build a compliant
> app with just certified libraries?

A Level 1 FIPS 140-2 validation (Level 1 being the most common and the
"easiest") applies to a thing called a "cryptographic module" in the
context of one of more "OEs" or "Operational Environments" (loosely
speaking, "platforms"). Note at Level 1 products are not validated,
operating systems are not validated, only "cryptographic modules" are
validated.

Translated from FIPSspeak, for a software "module" that means a very
specific chunk of executable code running on a specific platform
(operating system and OS version and processor "architecture"). Move
that same code to another platform and it is no longer validated; the
validation is relative to the OEs or platforms.

The only valid reason to use a FIPS 140-2 validated module is that you
must in order to sell your cryptography-using product to the USG or DoD.
For that market you (typically, if the procurement officer is paying
attention) have to use a validated cryptographic module on one of the
OEs specifically listed for that module validation.

So for a software product there is no such thing as validation of the
product independent of the platform (OE) it runs on.

A partial exception to that rule is "user affirmation" per I.G. G.5, but
while technically a legitimate means of satisfying FISP 140-2 validation
requirements that has limited practical value in the USG/DoD market.

Note I'm only discussing Level 1 validations here; Levels 2 and up are
different.

-Steve M.

--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
[hidden email]
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] FIPS 140-2 on iOS

Sec_Aficiondado
This is an excellent explanation in plain English. Thank you!

> On Apr 28, 2015, at 4:31 PM, Steve Marquess <[hidden email]> wrote:
>
>> On 04/28/2015 03:44 PM, Sec_Aficionado wrote:
>> Hi there,
>>
>> Total n00b question here. I recently ran across a question on an iOS
>> forum where someone was building an app with FIPS 140-2 compliant
>> communications.
>
> Note there really is no such thing as "FIPS 140-2 compliant" (though you
> see that terms bandied around a lot and I'm guilty of doing so myself).
>
> The term of interest is "FISP 140-2 validated" (n.b.: that's "validated"
> not "certified").
>
>> Now, from reading here (mailing lists) about FIPS certification, it
>> involves both the bits and the platform. So it would not be possible
>> to create an app that is compliant on a platform that hasn't been
>> certified. Is that a correct assumption? Or can I build a compliant
>> app with just certified libraries?
>
> A Level 1 FIPS 140-2 validation (Level 1 being the most common and the
> "easiest") applies to a thing called a "cryptographic module" in the
> context of one of more "OEs" or "Operational Environments" (loosely
> speaking, "platforms"). Note at Level 1 products are not validated,
> operating systems are not validated, only "cryptographic modules" are
> validated.
>
> Translated from FIPSspeak, for a software "module" that means a very
> specific chunk of executable code running on a specific platform
> (operating system and OS version and processor "architecture"). Move
> that same code to another platform and it is no longer validated; the
> validation is relative to the OEs or platforms.
>
> The only valid reason to use a FIPS 140-2 validated module is that you
> must in order to sell your cryptography-using product to the USG or DoD.
> For that market you (typically, if the procurement officer is paying
> attention) have to use a validated cryptographic module on one of the
> OEs specifically listed for that module validation.
>
> So for a software product there is no such thing as validation of the
> product independent of the platform (OE) it runs on.
>
> A partial exception to that rule is "user affirmation" per I.G. G.5, but
> while technically a legitimate means of satisfying FISP 140-2 validation
> requirements that has limited practical value in the USG/DoD market.
>
> Note I'm only discussing Level 1 validations here; Levels 2 and up are
> different.
>
> -Steve M.
>
> --
> Steve Marquess
> OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> USA
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> [hidden email]
> [hidden email]
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users