OpenSSH
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: OpenSSH use of OpenSSL in FIPS Mode

from [Stan Kladko] [Permanent Link][Original]
To: "Joshua Hill" <josh-lists@untruth.org>
Subject: Re: OpenSSH use of OpenSSL in FIPS Mode
From: "Stan Kladko" <kladko@aspectlabs.com>
Date: Mon, 5 Mar 2007 17:01:22 -0800
Cc: openssh-unix-dev@mindrot.org
Delivered-to: sp-com-lists@consult.net
Delivered-to: openssh-unix-dev-list1@securepoint.com
Delivered-to: openssh-unix-dev-tmda@mindrot.org
Delivered-to: openssh-unix-dev@mindrot.org
List-archive: <http://lists.mindrot.org/pipermail/openssh-unix-dev>
List-help: <mailto:openssh-unix-dev-request@mindrot.org?subject=help>
List-id: Development of portable OpenSSH <openssh-unix-dev.mindrot.org>
List-post: <mailto:openssh-unix-dev@mindrot.org>
List-subscribe: <http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=subscribe>
List-unsubscribe: <http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>, <mailto:openssh-unix-dev-request@mindrot.org?subject=unsubscribe>
Organization: Aspect Labs
References: <008901c75ec3$71b8ab30$640a0a0a@fomalhaut> <20070305094626.A31632@chiba.halibut.com> <016f01c75f6d$32e65ba0$640a0a0a@fomalhaut> <20070305153643.B27806@chiba.halibut.com>
Sender: openssh-unix-dev-bounces+openssh-unix-dev-list1=securepoint.com@mindrot.org 
My understanding is that the OpenSSL module supports the cryptographic key 
establishment algorithms used in OpenSSH, such as Diffie-Hellman. If OpenSSH 
properly uses these algorithm implementations it will be in a similar class 
with respect to FIPS 140-2 compliance as Microsoft Internet Explorer, VPN 
client and other well known software titles which use Microsoft Crypto 
Providers.


Regards,
Stan

----- Original Message ----- 
From: "Joshua Hill" <josh-lists@untruth.org>
To: "Stan Kladko" <kladko@aspectlabs.com>
Cc: <openssh-unix-dev@mindrot.org>
Sent: Monday, March 05, 2007 3:36 PM
Subject: Re: OpenSSH use of OpenSSL in FIPS Mode


> On Mon, Mar 05, 2007 at 01:28:20PM -0800, Stan Kladko wrote:
>> It is specified that the module provides "all the cryptographic services 
>> in
>> the solution".
>
> Do you not consider key establishment a "cryptographic service"?
>
> It would seem that we are largely speaking past each other in this
> instance.  I acknowledge that some services (such as Anti-Virus, as you
> mentioned) may be generally considered a "security service", but would
> not normally be relevant to FIPS 140.
>
> This is not the matter at hand, however.  The matter at hand is: "Should
> OpenSSH be modified to allow it to use the FIPS module within OpenSSL?"
>
> My contention is that this would not be particularly useful action to
> take as:
> (1) Key establishment _is_ relevant to FIPS 140.
> (2) OpenSSH implements key establishment such that the protocol is
> largely outside of OpenSSL.  Yes, OpenSSH uses the underlying crypto
> algorithms provided by OpenSSL, but the key establishment is done
> outside OpenSSL.
>
> As a consequence of (1) and (2), if one were to modify OpenSSH to take
> advantage of the validated portion of OpenSSL, one would still not
> have a package that would be appropriate for use within the US Federal
> Government.
>
> In fact, to accomplish this end, one would still have to go through
> a separate validation process for the OpenSSH functionality, which
> means that it's about the same condition prior to the entire OpenSSL
> sub-component validation.
>
> Josh 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSSH use of OpenSSL in FIPS Mode, Joshua Hill
Next by Date:  priotc text hp-ux renicer program (version 1.7), enrique moliner
Previous by Thread:  Re: OpenSSH use of OpenSSL in FIPS Mode, Joshua Hill
Next by Thread:  Re: OpenSSH use of OpenSSL in FIPS Mode, Steve Marquess
Indexes:  [Date] [Thread] [Top] [All Lists]