Conformant OpenSSL
SSR has completed extensive modifications to the OpenSSL FIPS Canister (v2.0.x) to make it fully compliant with the latest FIPS requirements. The module has completed algorithm testing on 12 platforms and is currently undergoing functional testing. It will be submitted to CMVP by EOY15.
The module is available for license, with a complete FIPS documentation set, for a quick and easy custom Private Label validation. We have partnered with a validation lab that can offer discounted pricing on the validation of the SSR-modified source.
Changes:
• Fully compliant with 800-131A
o SHA-1 disallowed with Asymmetric Sign
o RSA and DSA 1024-bit keys disallowed
o ECDSA curves P-192, B-192, and K-192 are disallowed
o RSA Key Generation updated to conformance with FIPS 186-4
• GMAC algorithm patched and available
• Many AES-NI, AVX and AVX2 assembly language accelerations for x86 processors have been ported from 1.0.x
• Fully conformant with startup requirements from IG9.5 and IG9.10
• Updated built-in algorithm test harness to current file formats
• Updated built-in functional test harness to demonstrate current capabilities
Further customizations can be made on an as-needed basis, including:
• Assembly language accelerations for additional processors
• Auto-start in FIPS-mode and/or disable non-FIPS mode
• Algorithm limitations (e.g. only SHA-512)
Please
contact us if you would like more information on licensing the module for private label validation.
Conformant OpenSSH
We have begun preliminary work on integrating the OpenSSH server daemon with our customized OpenSSL to create a conformant version of OpenSSH. This will result in a drop-in replacement for the standard OpenSSH found in many Linux distributions, and can offer a very quick time-to-validation for hardware platforms that rely on SSH connections to a management console and do not otherwise have a large attack surface.
Planned features:
• Drop-in replaceable
• Capability to build with Complaint OpenSSL embedded (static linking) or as a shared object.
• Remove and prevent re-enabling of non FIPS-compliant cipher suites
• FIPS 140-2 validation of end product
• Ability to enable/disable ECC at compile-time; for customers in patent-risk averse organizations
Please
contact us if you are interested in hearing more about the product, or have suggestions for features.