Link to home
Start Free TrialLog in
Avatar of J.R. Sitman
J.R. SitmanFlag for United States of America

asked on

Is Open PGP, FIPS 140-2 compliant?

We are looking for a secure printing solution and I need to verify that Open PGP is FIPS 140-2 compliant?
ASKER CERTIFIED SOLUTION
Avatar of serialband
serialband
Flag of Ukraine image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

Should also look into the support crypto algorithm as OpenPGP has a couple of few as one example below. So should ask the provider on the cipher suite supported. 
https://www.openpgp.org/about/standard/
https://datatracker.ietf.org/doc/html/rfc6637#section-12.2
12.2.1.  Security Strength at 192 Bits
To achieve the security strength of 192 bits, [SuiteB] requires NIST curve P-384, AES-256, and SHA2-384.  The symmetric algorithm   restriction means that the algorithm of KEK used for key wrapping in   Section 8 and an [RFC4880] session key used for message encryption must be AES-256.  The hash algorithm restriction means that the hash   algorithms of KDF and the [RFC4880] message digest calculation must   be SHA-384. 

12.2.2.  Security Strength at 128 Bits
The set of algorithms in Section 12.2.1 is extended to allow NIST curve P-256, AES-128, and SHA2-256.

Open in new window


IETF RFCs


Avatar of J.R. Sitman

ASKER

Any chance either of you would have a diagram of the flow for this?    

My boss asked.
Maybe help to clarify what is the "flow" that you meant?You mean PGP workflow?

 how PGP works:
User generated imageThe mathematics behind encryption can get pretty complex (though you can take a look at the math if you like), so here we’ll stick to the basic concepts. At the highest level, this is how PGP encryption works:
  • First, PGP generates a random session key using one of two (main) algorithms. This key is a huge number that cannot be guessed, and is only used once.
  • Next, this session key is encrypted. This is done using the public key of the intended recipient of the message. The public key is tied to a particular person’s identity, and anyone can use it to send them a message.
  • The sender sends their encrypted PGP session key to the recipient, and they are able to decrypt it using their private key. Using this session key, the recipient is now able to decrypt the actual message.


That might be what he wants. Thank you I'll send it to him and let you know
Thanks