[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Gardiner Michael Michael.Gardiner at gemalto.com
Tue Nov 8 17:53:19 UTC 2016

Hey Guys,

If FIPS 140-2 compliance is important you might want to look at something
like a PKCS#11 wrapper and let your PKCS#11 complaint module be the deciding
factor in meeting that compliance level.  There are wrappers for most
languages.  (We have our own python p11 implementation tailored to our Luna
HSMs here https://github.com/gemalto/pycryptoki but you should be able to
use a more generic project if you choose)  

There are other commonly used APIs such as OpenSSL, Java JCA/JCE and MS
CAPI/CNG but given that we're talking about python on linux a PKCS #11
approach is probably best.

Beyond just "140-2" there are different levels.  Pure software
implementations are limited to level 1. Level 2, 3, and 4 require hardware
and have more strict requirements as you go up the chain.  Someone asking
for FIPS 140-2 compliance will also generally have a minimum level that they

I do work for a vendor of hardware security modules and so I have biases
towards our solutions but without getting into any of that I do believe if
you want to take FIPS into consideration you should stick to a broadly
adopted crypto API that allows you to switch out the back end module.  


Mike Gardiner
Systems Security Architect

-----Original Message-----
From: Jeremy Stanley [mailto:fungi at yuggoth.org] 
Sent: November-06-16 11:44 AM
To: OpenStack Development Mailing List (not for usage questions)
<openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [requirements][kolla][security] pycrypto vs

On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote:
> On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
> > An orthogonal question I have received from one of our community 
> > members (Pavo on irc) is whether pycrypto (or if we move to
> > cryptography) provide FIPS-140-2 compliance.
> My understanding is that if you need, for example, a FIPS-compliant 
> AES implementation under the hood, then this is dependent more on what 
> backend libraries you're using... e.g., 
> https://www.openssl.org/docs/fips.html
> https://www.openssl.org/docs/fipsvalidation.html

I should clarify, I was referring specifically to pyca/cryptography's
OpenSSL backend. In contrast the pycrypto maintainers seem to have copied
and forked a variety of algorithms (some of which seem to be based NIST/FIPS
reference implementations for C or backports from bits of Py3K stdlib but
have undergone subsequent modification), so very likely have not been put
through any sort of direct compliance validation:
et cetera...
Jeremy Stanley

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7173 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161108/880e354f/attachment.bin>

More information about the OpenStack-dev mailing list