Eric, Thanks for the clarification.
Elsewhere, I learned that a encryption production (hardware or software) is restricted to single-user mode when operating in FIPS mode. That is, there can be only ONE user account that can perform the decryption. Administrative / Helpdesk or other recovery accounts are not possible in FIPS mode. Is this correct? Thanks On Thu, May 1, 2008 at 1:47 PM, <[EMAIL PROTECTED]> wrote: > Just because they use FIPS approved or validated algorithms doesn't mean > they are FIPS validated modules. There is much more than just correctly > implementing the algorithm to FIPS mode. Some that come to mind are > zeroizing the key store if a tamper is suspected, or if account lock-out > numbers are reached, etc. Depending on the level of validation physical > keys (dongles, USB, smart cards) are needed to enable the device. > > Most encryption products have the option of running in FIPS mode or > non-FIPS mode. Generally FIPS modes are far more restrictive and slower > than necessary for typical non-classified usage. But, if you are storing > the root of your PKI on the disk, it would probably be considered a best > practice. > > Eric Lengvenis > Security Architecture > > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the > addressee, you must not use, copy, disclose, or take any action based on > this message or any information herein. If you have received this > message in error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation. > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Ali, Saqib > Sent: Thursday, May 01, 2008 2:55 PM > To: fde > Subject: [FDE] FIPS 140-2: When operated in FIPS mode? (Flagstone, > Spyrus,Utimaco, Poinsect, MobileArmor) > > I was looking at the FIPS 140-2 Certificate[1] for the Stonewood's > Flagstone product, and it has a clause that says "(When operated in > FIPS mode)". What does this clause mean? > > I was under the impression that since Flagstone only implement FIPS > validated encryption algorithms (128-bit AES CBC/ECB and ANSI X9.31 > AES 128 bit RNG) there would no non-FIPS mode. > > I later found out that, Spyrus, Utimaco, Poinsect, MobileArmor have > the same clause. > > > 1. > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt779.pd > f > _______________________________________________ > FDE mailing list > [email protected] > http://www.xml-dev.com/mailman/listinfo/fde > > > _______________________________________________ > FDE mailing list > [email protected] > http://www.xml-dev.com/mailman/listinfo/fde > -- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
