FOMRedux
Thinqsoft has performed extensive modifications to the OpenSSL FIPS Object Module (FOM; v2.0.x) to make it fully compliant with the latest FIPS requirements. The result is FOMRedux, a fully FIPS-compliant object module ready for private label validation.
FIPS 140 Compliant Private Label Validation
Extensively modified OpenSSL Object Module ready to expand your validation offerings
OpenSSL was last FIPS validated in 2012 (validation #1747). All subsequent validations were “1SUB” validations to add additional hardware. FIPS requirements have changed since that validation, and new validations cannot be done with the old code.
The only proper use of the existing FIPS validation is the match the exact hardware listed on one of the validations. If your hardware differs in any way from those listed hardware platform, you cannot claim to use FIPS validated cryptography in your product.
The solution is to get a private label validation — a validation of OpenSSL with your corporate branding.
FOMRedux includes the following enhancements to the original FOM source code:
- Fully conforms to startup requirements from IG9.5 and IG9.10
- Fully compliant with 800-131A
- SHA-1 disallowed with Asymmetric Sign
- RSA and DSA 1024-bit keys disallowed
- ECDSA curves P-192, B-192, and K-192 are disallowed
- RSA Key Generation updated to conformance with FIPS 186-4
- GMAC algorithm patched and available
- Updated built-in algorithm test harness to current file formats
- Updated built-in functional test harness to demonstrate current capabilities
In addition to the algorithm and compliance updates, FOMRedux is faster than the original. In the years since the initial validation, many assembly language enhancements were made to the non-FIPS source tree of OpenSSL. Among these are accelerations for AES, SHA, and BIGNUM math for x86_64, ARM, SPARC, and more.
Many of these assembly code optimizations have been ported into FOMRedux, bring the FOM to closer performance parity with the non-FIPS version. Additional optimizations can be ported in to meet vendor needs.
With FOMRedux, you can customize additional behaviors of OpenSSL to meet special use cases:
- Assembly language accelerations for additional processors
- Auto-start in FIPS-mode and/or disable non-FIPS mode
- Algorithm limitations (e.g. only SHA-512)
- Custom branding and logging
Please contact us if you would like more information on licensing the module for private label validation.
Learn More about the ACVPro
Download the ACVPro Overview and see how it can support your FIPS 140 validation projects