OpenSSH use of OpenSSL in FIPS Mode

Stan Kladko kladko at aspectlabs.com
Tue Mar 6 12:01:22 EST 2007


My understanding is that the OpenSSL module supports the cryptographic key 
establishment algorithms used in OpenSSH, such as Diffie-Hellman. If OpenSSH 
properly uses these algorithm implementations it will be in a similar class 
with respect to FIPS 140-2 compliance as Microsoft Internet Explorer, VPN 
client and other well known software titles which use Microsoft Crypto 
Providers.


Regards,
Stan

----- Original Message ----- 
From: "Joshua Hill" <josh-lists at untruth.org>
To: "Stan Kladko" <kladko at aspectlabs.com>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Monday, March 05, 2007 3:36 PM
Subject: Re: OpenSSH use of OpenSSL in FIPS Mode


> On Mon, Mar 05, 2007 at 01:28:20PM -0800, Stan Kladko wrote:
>> It is specified that the module provides "all the cryptographic services 
>> in
>> the solution".
>
> Do you not consider key establishment a "cryptographic service"?
>
> It would seem that we are largely speaking past each other in this
> instance.  I acknowledge that some services (such as Anti-Virus, as you
> mentioned) may be generally considered a "security service", but would
> not normally be relevant to FIPS 140.
>
> This is not the matter at hand, however.  The matter at hand is: "Should
> OpenSSH be modified to allow it to use the FIPS module within OpenSSL?"
>
> My contention is that this would not be particularly useful action to
> take as:
> (1) Key establishment _is_ relevant to FIPS 140.
> (2) OpenSSH implements key establishment such that the protocol is
> largely outside of OpenSSL.  Yes, OpenSSH uses the underlying crypto
> algorithms provided by OpenSSL, but the key establishment is done
> outside OpenSSL.
>
> As a consequence of (1) and (2), if one were to modify OpenSSH to take
> advantage of the validated portion of OpenSSL, one would still not
> have a package that would be appropriate for use within the US Federal
> Government.
>
> In fact, to accomplish this end, one would still have to go through
> a separate validation process for the OpenSSH functionality, which
> means that it's about the same condition prior to the entire OpenSSL
> sub-component validation.
>
> Josh 



More information about the openssh-unix-dev mailing list