[erlang-questions] OTP in FIPS mode ?

Ingela Andin ingela.andin@REDACTED
Thu Apr 23 15:52:01 CEST 2015


Hi!

This question is in the OTP 19 scope.  FIPS requires the use of the EVP-API
which sounds interesting regardless of
FIPS.  We see this as a possible first step, then we can consider if and
what else we might want to do, to support or facilitate for others to
support FIPS.  My current understanding is that using  only the  EVP-API
functions we can not make the  crypto  API completely functional,  which
will require at least some additions to the crypto API and perhaps
OTP-techincal board considerations.

Regards Ingela Erlang/OTP - Ericsson AB

2015-04-21 20:22 GMT+02:00 Drew Varner <drew.varner@REDACTED>:

> Here’ s the discussion on a FIPS pull request that’s now closed:
> https://github.com/erlang/otp/pull/377
>
> - Drew
>
>
> On Apr 21, 2015, at 12:32 PM, Niclas Eklund <nick@REDACTED> wrote:
>
> Hi!
>
> IMHO I think that it would be good if FIPS could supported by OTP,
> especially since the purpose of the FIPS standards are issued to ensure
> computer security and interoperability. I've seen a question about this at
> least once before on this list before -
> http://erlang.org/pipermail/erlang-questions/2012-April/065902.html But I
> don't know what became of it.
>
> Best regards,
>
> Nick
>
>
> On 04/21/2015 03:48 PM, jonetsu wrote:
>
> Hello,
>
> We are using an Erlang-based middleware using OTP, ConfD, which
> must now support FIPS mode.  Briefly, FIPS is a U.S. standard
> that imposes a set of crypto parameters (ciphers, algorithms,
> etc...).  FIPS-applications must use high-level OpenSSL
> methods (The EVP set of methods) since the low-level functions
> will make OpenSSL abort.  The application must also call
> FIPS_mode_set(1) to enable this mode for a suitable OpenSSL build
> that supports FIPS.
>
> OTP uses low-level OpenSSL functions.
>
> Initially I considered replacing, for instance, the AES_* uses in
> crypto.c by their EVP equivalent, while keeping the interface to
> Erlang intact.
>
> Now, looking at the extent of the FIPS modifications to the OTP
> code done last year by Dániel Szoboszlay, who worked at Ericsson
> and Erlang Solutions, I wonder about my naïve approach.
>
> Are anyone here familiar with this FIPS OTP port ?  Any comments
> ? To anyone also familiar with ConfD: do you know of any effort
> done in using this FIPS-enabled OTP code ?
>
> Thanks for any comments and suggestions !
>
> Regards.
>
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
>
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20150423/0b286086/attachment.htm>


More information about the erlang-questions mailing list