OpenSSH use of OpenSSL in FIPS Mode
kladko at aspectlabs.com
Tue Mar 6 12:01:22 EST 2007
My understanding is that the OpenSSL module supports the cryptographic key
establishment algorithms used in OpenSSH, such as Diffie-Hellman. If OpenSSH
properly uses these algorithm implementations it will be in a similar class
with respect to FIPS 140-2 compliance as Microsoft Internet Explorer, VPN
client and other well known software titles which use Microsoft Crypto
----- Original Message -----
From: "Joshua Hill" <josh-lists at untruth.org>
To: "Stan Kladko" <kladko at aspectlabs.com>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Monday, March 05, 2007 3:36 PM
Subject: Re: OpenSSH use of OpenSSL in FIPS Mode
> On Mon, Mar 05, 2007 at 01:28:20PM -0800, Stan Kladko wrote:
>> It is specified that the module provides "all the cryptographic services
>> the solution".
> Do you not consider key establishment a "cryptographic service"?
> It would seem that we are largely speaking past each other in this
> instance. I acknowledge that some services (such as Anti-Virus, as you
> mentioned) may be generally considered a "security service", but would
> not normally be relevant to FIPS 140.
> This is not the matter at hand, however. The matter at hand is: "Should
> OpenSSH be modified to allow it to use the FIPS module within OpenSSL?"
> My contention is that this would not be particularly useful action to
> take as:
> (1) Key establishment _is_ relevant to FIPS 140.
> (2) OpenSSH implements key establishment such that the protocol is
> largely outside of OpenSSL. Yes, OpenSSH uses the underlying crypto
> algorithms provided by OpenSSL, but the key establishment is done
> outside OpenSSL.
> As a consequence of (1) and (2), if one were to modify OpenSSH to take
> advantage of the validated portion of OpenSSL, one would still not
> have a package that would be appropriate for use within the US Federal
> In fact, to accomplish this end, one would still have to go through
> a separate validation process for the OpenSSH functionality, which
> means that it's about the same condition prior to the entire OpenSSL
> sub-component validation.
More information about the openssh-unix-dev