A suite OpenSSL, que dispensa apresentações, possui um importante módulo para aqueles que desejam suportar em sua aplicação, ou hardware, o padrão FIPS 140-21. O chamado "FIPS Object Module" versão 2.0 suporta também todo o conjunto de algoritmos criptográficos conhecidos como "Suite B" criados pela NSA norte-americana, que também podem ser usados exclusivamente com estas extensões.

A Suite B requer um nivel de segurança de 128-bit e note-se que impossibilita o use do TLS lesser abaixo da versão 1.22, pois as versões anteriores usavam ainda a solução MD5-SHA1, sabidamente já obsoletos, como função pseudo-randômica.

O modo FIPS é iniciado pela chamada de função FIPS_mode_set().

  1. int FIPS_mode_set(int ONOFF);

Com FIPS_mode_set(0) ele abandonará o modo FIPS, e retorna 1 se com êxito. Já com o valor diferente de zero ele entrará no modo FIPS. O valor "2" está reservado para restringir as operações aos algoritmos da Suite B. Diferentemente da documentação que está disponível no Wiki do projeto OpenSSL, o Manual do Módulo FIPS documenta o uso de outra função para restringir à Suite B: "An argument of FIPS_SUITEB(2) will restrict the available algorithms to those
allowed by the Suite B specification
".

Exemplo de uma chamada direta da função:

  1. #ifdef OPENSSL_FIPS
  2. if(options.no_fips <= 0)
  3. {
  4. if(!FIPS_mode_set(1))
  5. {
  6. ERR_load_crypto_strings();
  7. ERR_print_errors_fp(stderr);
  8. exit(1);
  9. }
  10. else
  11. fprintf(stderr,"*** IN FIPS MODE ***\n");
  12. }
  13. #endif

Um tema importante para aqueles que ainda querem adotar a padronzação ECC feita pela NSA é o das patentes. O item 6.5 "ECC and the NSA Sublicense" é portanto leitura obrigatória para o desenvolvedor.

Why are there two versions of the OpenSSL FIPS Object Module 2.0? At least some implementations of Elliptic Curve Cryptography (ECC) are perceived to be encumbered in the United States by a complex set of patents. Concern about the possible risks of patent infringement have been a significant disincentive to more widespread use of ECC. In order to counter such concerns for the ECC necessary to implement the Suite B algorithms, the NSA established a process for sub-licensing the patents for that subset of ECC (see http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml). The OSF has obtained such a sublicense (http://opensslfoundation.com/testing/docs/NSA-PLA.pdf). However, that sublicense only covers the specific patents presumed relevant to the prime curve ECC used for Suite B. It does not cover other possible types of ECC such as binary curves which are implemented in OpenSSL. Judging the risks of a patent infringement lawsuit is difficult, and not only because the patents themselves are usually incomprehensible to the software developer. The mere threat of a patent lawsuit can be crippling to even a medium sided enterprise, regardless of the legitimacy of the accusation of infringement. It is the considered opinion of the OpenSSL team that the implementation of ECC in OpenSSL, both primary and binary curve, does not infringe any patents 46 However, some potential users are still concerned about the risk of patent litigation, understandably so given the extent to which such litigation has been used as an offensive commercial tactic in recent years. For the OpenSSL software such users can use built-time options to omit specific algorithms of concern from the resulting binary code.

FIPS140 Files Here you can find a number of FIPS140 related files including the user guide and test vectors. Bytes Timestamp Filename ________ ____________________ ____________________________ 1707577 Sep 29 14:15:31 2013 UserGuide-2.0.pdf 464520 May 20 20:40:51 2013 SecurityPolicy-2.0.pdf 223576 Jun 28 15:42:31 2012 UserGuide.pdf 925694 Jun 27 02:45:21 2012 UserGuide-1.2.pdf 82787660 Feb 3 19:45:56 2012 fips-2.0-tv.tar.gz 399521 May 12 14:55:47 2011 SecurityPolicy-1.2.3.pdf 5628 May 10 12:52:17 2011 incore2 645167 Dec 8 20:19:25 2010 SecurityPolicy-1.2.2.pdf 1936 Jan 12 23:34:27 2010 incore.gz 860211 Nov 20 16:26:39 2009 SecurityPolicy-1.2.pdf 429420 Feb 10 19:28:55 2008 SecurityPolicy-1.1.2.pdf 681420 Dec 13 21:11:03 2007 UserGuide-1.1.1.pdf 8947798 Oct 10 23:21:37 2007 testvectors-linux-2007-10-10.tar.gz 9112982 Oct 10 00:56:58 2007 testvectors-XP-2007-10-09.zip 1395381 Feb 6 22:03:20 2007 SecurityPolicy-1.1.1.pdf 5700115 Jul 19 13:30:25 2005 rsp.SuSE.2005-07-01.tar.gz 5699128 Jul 19 13:30:17 2005 rsp.SuSE.2005-06-30.tar.gz 5660011 Jul 19 13:30:03 2005 rsp.HP-UX.2005-07-01.tar.gz 4249118 Jun 10 12:26:55 2005 testvectors.SuSE.tar.gz 4149860 Jun 10 12:26:43 2005 testvectors.HP-UX.tar.gz

 
Revisão v. 1.0
 
  1. Obviamente que a compilação do módulo em questão não gerará de forma imediata uma como que aceitação do padrão NIST, como o próprio OpenSSL avisa: "OpenSSL has been configured to generate a fipscanister.o object module. That compiled module is NOT FIPS 140-2 validated or suitable for use in satisfying a requirement for the use of FIPS 140-2 validated cryptography UNLESS the requirements of the Security Policy are followed exactly (see http://openssl.org/docs/fips/ or http://csrc.nist.gov/cryptval/)." []
  2. Consultar: http://tools.ietf.org/html/rfc5246: "The MD5/SHA-1 combination in the pseudorandom function (PRF) has been replaced with cipher-suite-specified PRFs. All cipher suites in this document use P_SHA256." []