Following the FIPS 140-2 validation of OpenSSL, some comments posted on Slashdot were incorrect. Most were corrected in replies, but this one was untouched:

Another poster mentioned that this restricted the choice of encryption algorithms to 3DES. That is incorrect. FIPS 140-2 is an AES implementation, specifically because of concerns over 3DES’ long-term viability. There are no approved 3DES implementations under FIPS 140-2.

FIPS 140-2 is a specification for cryptographic modules. In addition to specifying requirements for cryptographic algorithms, FIPS 140 specifies requirements other categories including key management, self tests, interfaces, design assurance, and others. A module must implement at least one approved security function (here is the approved list). A module *may* implement AES as an approved cryptographic function. Incidentally, AES is specified in FIPS 197.

There are many 3DES implementations in cryptographic modules validated under FIPS 140-2. The 3DES validations are listed here. Note that just because a module has its algorithms validated, it does not necessarily have a full FIPS 140 validation unless it’s listed here. DES is withdrawn as an approved security function (see NIST’s DES Transition Plan).