sha256 in FIPS mode.

Miller, Rob (Omaha) wrote:
Because a separate test for the SHA-3 algorithms was not a requirement
for the SHS (SHA) Known Answer Test at the time of submission, and we
have no incentive to perform non-mandated self tests. Note that the POST
(power up self test, which includes the KATs) is a significant
performance hit on less capable systems (taking upward of four *minutes*
for one ARM system I was looking at recently).

Note the SHA-3 algorithms were tested in the CAVP certificate (#723) and
in fips_test_suite.

If you're looking at a "private label" validation based on the
openssl-fips-1.2 validation you'll see that some of the requirements
have since changed -- the rules change constantly. As of the end of 2010
the current v1.2 code will need very substantial modification for new
validations.

-Steve M.

--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877-673-6775
marquess@...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

On Tue, Oct 27, 2009, Miller, Rob (Omaha) wrote:

> Hi, My question is regarding the library in FIPS mode and the FIPS_selftest
> function.  The current FIPS_selftest routine in 0.9.8k calls sha1, hmac,
> aes, des, rsa, and dsa selftests. It doesn't call any sha256, 512 KAT
> selftests and I didn't find these routines in the source. In FIPS mode I'm
> allowed to use EVP_DigestInit( &ctx, EVP_sha256() ); successfully.
>
> Why is the sha hash algorithms not tested when FIPS_selftest is called?
>

The HMAC algorithm is tested using all sha* algorithms including sha256. HMAC
KAT tests test the associate digest algorithm as well as the HMAC operation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Thanks for your answer.
I have an additional questions about the FIPS_selftest API call. The user guide states that FIPS_selftest can be called for initiated self tests. What is the reason that the incore fingerprint is not validated again in the FIPS_selftest api?

Thanks,
Rob
 

-----Original Message-----
From: owner-openssl-dev@... [mailto:owner-openssl-dev@...] On Behalf Of Dr. Stephen Henson
Sent: Tuesday, October 27, 2009 12:18 PM
To: openssl-dev@...
Subject: Re: sha256 in FIPS mode.

On Tue, Oct 27, 2009, Miller, Rob (Omaha) wrote:

> Hi, My question is regarding the library in FIPS mode and the FIPS_selftest
> function.  The current FIPS_selftest routine in 0.9.8k calls sha1, hmac,
> aes, des, rsa, and dsa selftests. It doesn't call any sha256, 512 KAT
> selftests and I didn't find these routines in the source. In FIPS mode I'm
> allowed to use EVP_DigestInit( &ctx, EVP_sha256() ); successfully.
>
> Why is the sha hash algorithms not tested when FIPS_selftest is called?
>

The HMAC algorithm is tested using all sha* algorithms including sha256. HMAC
KAT tests test the associate digest algorithm as well as the HMAC operation.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...

Miller, Rob (Omaha) wrote:
> Thanks for your answer.
> I have an additional questions about the FIPS_selftest API call. The user guide states that FIPS_selftest can be called for initiated self tests. What is the reason that the incore fingerprint is not validated again in the FIPS_selftest api?
>  

Well, the self tests and the integrity test are different things.  There
is a specific requirement that the self tests be invocable by the user,
so we implemented that.  There is no requirement that the integrity test
be repeated, and in fact the way that is usually implemented (digest
over the executable file on disk) there wouldn't be much point in
repeating it.

Note there is no practical use for the user initiated self tests.  I
can't conceive of a situation where you would actually want to make that
function call independently of the mandatory Power Up Self Test that
includes the integrity test and the algorithm self-tests..  The
real-world value of the POST itself is debatable, it dates from a time
when cryptography was implemented with discrete component electronics.

BTW bad answer to your last question, I meant SHA-2, the here-and-now
SHA256/384/512 and not the future SHA-3.

-Steve M.

--
Steve Marquess
Open Source Software institute
marquess@...

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@...
Automated List Manager                           majordomo@...