On Mon, Jul 09, 2007 at 04:08:33PM -0600, Darren Lasko wrote:
However, it seems pretty nebulous about how
they expect you to measure the number of operations required to
compromise the security of the key generation method. Do you know
what kind of documentation the labs require?
The
On Sat, Jul 07, 2007 at 10:53:17PM -0600, Darren Lasko wrote:
1) Can a product obtain FIPS 140-2 certification if it implements a PRNG
from NIST SP 800-90 (and therefore is not listed in FIPS 140-2 Annex C)? If
not, will Annex C be updated to include the PRNGs from SP 800-90?
The PRNGs in
In fact, if you're clever, you can manage to not trouble yourself to get
the key-management, etc. certified, getting only the simple, symmetric-cipher
stuff run through the process.
You can, but that doesn't mean that it's ok.
Key management is explicitly covered under FIPS 140-2. If you
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote:
In fact they wouldn't even validate Crypto++ as a
static library despite an earlier verbal agreement that a static
library was ok. It had to be turned into a DLL at the last moment (i.e.
during the review phase).
That's unfortunate.
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote:
If I'm not mistaken, this would be the first free,
open-source, crypto library that has FIPS 140 module certification!
I believe that this is incorrect.
The two open-source projects that I'm aware of that have FIPS 140 certs