On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote: > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote: [...] > > An orthogonal question I have received from one of our community > > members (Pavo on irc) is whether pycrypto (or if we move to > > cryptography) provide FIPS-140-2 compliance. > > My understanding is that if you need, for example, a FIPS-compliant > AES implementation under the hood, then this is dependent more on > what backend libraries you're using... e.g., > https://www.openssl.org/docs/fips.html > https://www.openssl.org/docs/fipsvalidation.html I should clarify, I was referring specifically to pyca/cryptography's OpenSSL backend. In contrast the pycrypto maintainers seem to have copied and forked a variety of algorithms (some of which seem to be based NIST/FIPS reference implementations for C or backports from bits of Py3K stdlib but have undergone subsequent modification), so very likely have not been put through any sort of direct compliance validation: https://github.com/dlitz/pycrypto/blob/master/src/AES.c https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c et cetera... -- Jeremy Stanley