HP SSH and FIPS

 
Curtis A. Johnson
New Member

HP SSH and FIPS

I am trying to determine if the SSH version for HP-UX 11.11 that is available from HP is FIPS 140-2 compliant.So far I have not be able to find anything to give me a definite answer one way or another. Any help will be appreciated.
6 REPLIES 6
Steven E. Protter
Exalted Contributor

Re: HP SSH and FIPS

Shalom

SSH is a port of openssh. http://www.openssh.org.

If openssh is FIPS compliant, so is HP's port.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Curtis A. Johnson
New Member

Re: HP SSH and FIPS

Thanks. I see that it is a port of OpenSSH and from what I can find on oss-institute.org is that OpenSSH (or HP port of it) will be FIPS 140-2 compliant when built against the validated OpenSSL libraries and when appropriate application code is included to ensure that FIPS mode is activated and verified.

I am just wonder if anyone else has run into this and whether they were able to find if it is compliant or not.
DJR
Advisor

Re: HP SSH and FIPS

Hi All-

We have a similar question regarding what version of OpenSSL on HP-UX 11.23 is FIPS compliant. Here's an answer we received from support.

Does anyone have any experience with this 1.1.1 version? Can it coexist with the current 0.9 version that ships with the OE? Or is it a wholesale upgrade?

Thanks in advance for your help!

===========================

emr_na-c00881524-1 -- Public
HP-UX - is HP's OpenSSL compliant with FIPS 140-2 versions?
ISSUE:
For HP-UX 11.11 systems, are OpenSSL versions A00.09.07e,i,l compliant with this FIPS (Federal Information Processing Standards) document:
FIPS PUB 140-2
Title: Security Requirements for Cryptographic Modules
available at:
http://csrc.nist.gov/cryptval/140-2.htm
SOLUTION:
As of the date of this writing, there is no FIPS 140-2 compliant version of HP's OpenSSL.
It is HP's understanding that FIPS implementation version 1.0 is no longer sanctioned by NIST (National Institute of Standards and Technology) as an official FIPS release. The 1.0 source appears to have been removed from the openssl.org repository. NIST apparently withdrew certification of 1.0 and will sanction FIPS 1.1 when it is available.
KEYWORDS:
-----------------------------------------------------------------------------------------------------------------
emr_na-c00868282-1 -- Public
HP-UX Openssl - is it certified for FIPS 140-2?
QUESTION:
Are any of the supported versions of HP-UX OpenSSL certified by HP to the FIPS 140-2 standard?
ANSWER:
NO. None of these versions of Openssl have been evaluated and certified by the HP OpenSSL Lab: 0.9.7e, 0.9.7i, 0.9.7l, 0.9.8d.
NOTE: The A.00.09.07i and A.00.09.07l releases from HP do supply some OpenSSL FIPS 1.0 files inside the source tar ball provided in the /opt/openssl/src directory. This source is supplied "as is" by HP. FIPS 1.0 is no longer maintained by OpenSSL. For that reason, the FIPS 1.0 files were removed from the 0.9.8d source tree.
OpenSSL.org has created a separate distribution of OpenSSL, called FIPS 1.1.1 it is in a separate source tree from the 0.9.x releases. For more information please look at these web sites:
http://www.oss-institute.org/
Click here for Open Source Software Institute: http://www.oss-institute.org/
http://www.openssl.org/docs/fips/
Click here for OpenSSL FIPS: http://www.openssl.org/docs/fips/
http://www.openssl.org/source/
Click here for OpenSSL Source: http://www.openssl.org/source/
HP Openssl documentation is available at HP's Internet and Security site:
http://www.docs.hp.com/en/internet.html
Click here for Internet and Security Solutions: http://www.docs.hp.com/en/internet.html
HP Openssl software is available at HP's software depot site.
http://software.hp.com
Click here for the Software Depot: http://software.hp.com
DJR
Advisor

Re: HP SSH and FIPS

Item 733: Open Source Software Institute

It appears that there is a FIPS compliant module approved by NIST.

Does anyone have experience with this? Thanks!

http://csrc.nist.gov/cryptval/140-1/1401val2007.htm
DJR
Advisor

Re: HP SSH and FIPS

http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf

This document indicates that the FIPS module can be used by OpenSSL version 0.9.7m and above. Unfortunately, the latest version I see on the HP SW Depot is 0.9.7L.

Anyone know if HP plans to support a newer version of OpenSSL anytime soon? Or is anyone using a newer version of OpenSSL on HP-UX 11.23?

Cheers,
Darren

===============================

The FIPS object module provides an API for invocation of FIPS approved cryptographic functions
from calling applications, and is designed for use in conjunction with standard OpenSSL 0.9.7
distributions beginning with 0.9.7m. These recent full OpenSSL source distributions support the
original nonFIPS
API as well as a FIPS mode in which the FIPS approved algorithms are
implemented by the FIPS object module and nonFIPS
approved algorithms other than DH are
disabled by default.
DJR
Advisor

Re: HP SSH and FIPS

Looks like the "M" version will be released in mid October 2007. Per HP Support:

"I was notified today that the port of OpenSSL 0.9.7m is slated to be made available at http://software.hp.com in "Mid October". My advice would be start checking on the 10th. The current link for OpenSSL in that site is: http://h20293.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I"