views:

86

answers:

2

The question is pretty simple, is it possible to create a FIPS 140-2 compliant server in Perl? Especially, is it possible without modifying any of the C code for the modules? If it's not possible in straight Perl, what would be the easiest way to go about it from a C perspective?

I'm basically creating a mini-httpd that only serves up a single file, but due to security restrictions it needs to be served up on SSL under FIPS compliance.

+4  A: 

I don't know all of the rules when it comes to FIPS 140-2. However, unlike HIPAA and PCI-DSS its a standard that governs the strength of cryptography and doesn't take the system as a whole into consideration. Parts of OpenSSL can be FIPS 140-2 compliant and this library is exposed to perl via the Crypt::OpenSSL module. You just have to make sure your key size is large enough for the level of FIPS certification you need and that you don't violate a one of the many Cryptographic Issues.

Rook
No! OpenSSL itself is ***not*** FIPS-approved, and never will be. The OpenSSL FIPS Object Module exists, and is FIPS-certified. See http://www.openssl.org/docs/fips/fipsnotes.html to open **that** can of worms.
fennec
@fennec good link, i have updated my answer.
Rook
Thank. I'm still not sure that the FIPS-compliant library is going to be exposed via Crypt::OpenSSL by default, though. You might have to check what it's linked against, and maybe go into the guts of the module to invoke startuppy stuff.
fennec
Thanks, I'll research more into this option.
Nayruden
+1  A: 

Take a look at Mozilla's FIPS strategy. Triple DES is most likely to be Open Source. I am unaware of any certified FIPS 140-2 solutions in Perl.

Most implementation approvals are very restrictive, such as being on a certain hardware platform, CPU, and OS version. If you are on one of those platforms, you can often piggyback on the OS approval, such as Windows 7, Redhat, etc.

drewk