Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote: > It is the first *source code* certification. The ability to do this runs counter to my understanding of FIPS 140-2. First, there are a series of requirements that deal with executable binary authentication that I'm not sure could be met. Second, it is unclear to me what would be tested during operational testing. The source code can't itself be a module, because the source code doesn't do anything until it is compiled and run. FIPS 140-2 currently only allows for fully functional units to be modules; you'll note, for instance, that FIPS certs for "software" modules are listed as a "multi-chip standalone" embodiment, for instance. NIST was talking about producing documents that would support a true "software only" embodiment, but that initiative seems to have stalled with the change of directors of the CMVP (the NIST group that issues FIPS 140-2 certs). Third, nominally, the FIPS certificate only applies to the particular operating system (and OS version) that the operational testing was done on. For level 1 modules, NIST has historically allowed OSes in the same "family" to also be covered, and they have been very liberal in their definition of "family". Those seem like the big problems. NIST has historically been intractable on these issues. That's not to say that they couldn't have changed their mind, but doing so would require that they go against previously issued (formal) guidance and many verbal conversations. I don't want to rain on anyone's parade. If the OpenSSL cert goes through, and the certificate covers the code itself, then I assure you that I'll be cheering just as loudly as anyone. Sadly, I honestly suspect that this won't be the case. It would require too many broad interpretation changes on NIST's part, and it would require that they contradict their previous guidance, which isn't something they do very often. Josh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
> On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: > > If I'm not mistaken, this would be the first free, > > open-source, crypto library that has FIPS 140 module certification! > > I believe that this is incorrect. > > The two open-source projects that I'm aware of that have FIPS 140 certs > are The Crypto++ Library, (cert 343, issued today) and The Mozilla > project's NSS, which was certified by SUN under FIPS 140-1, levels 1 > and 2. (certs 247 and 248). You are correct, I just saw Crypto++ in the list of FIPS 140 validated modules: http://csrc.nist.gov/cryptval/140-1/140val-all.htm It is the latest entry, added today. Congratulations to Wei Dai! I was not aware of NSS before, their might be others as well which I am not aware of then. OpenSSL`s *source code* being evaluated remains exiting. Thanks for the information Joshua and Rich! --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Anton Stiglic: If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! It is the first *source code* certification. Joshua Hill: The two open-source projects that I'm aware of that have FIPS 140 certs are The Crypto++ Library, (cert 343, issued today) and The Mozilla project's NSS, which was certified by SUN under FIPS 140-1, levels 1 and 2. (certs 247 and 248). #343 is certifying a particular windows DLL for which source is available. Similarly, 247 and 248 are particular instances of Windows and Solaris libraries. In all three of those cases, you can take the source and run it on your o/s, but you need to go get re-certified. The more I think about it, the more amazing this is. Anyone in the world can now build an SSL/TLS application and be FIPS 140-2L1 certified. /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote: > If I'm not mistaken, this would be the first free, > open-source, crypto library that has FIPS 140 module certification! I believe that this is incorrect. The two open-source projects that I'm aware of that have FIPS 140 certs are The Crypto++ Library, (cert 343, issued today) and The Mozilla project's NSS, which was certified by SUN under FIPS 140-1, levels 1 and 2. (certs 247 and 248). Josh - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification
Really exiting news. If I'm not mistaken, this would be the first free, open-source, crypto library that has FIPS 140 module certification! Other free open-source libraries have algorithms that have been FIPS 140 certified, but the whole module hasn't been certified (exemple Cryptlib and Crypto++). And OpenSSL crypto module runs on all kinds of platforms. Really nice! --Anton - Original Message - From: "Rich Salz" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 05, 2003 10:50 AM Subject: OpenSSL *source* to get FIPS 140-2 Level 1 certification > This is termendously exciting. For the first time ever, NIST will be > certifying a FIPS 140 implementation based on the source code. As long > as the "pedigree" of the source is tracked, and checked at run-time, > then applications can claim FIPS certification. > > For details: > http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.tw&prev=/groups%3Fgroup%3Dmailing.openssl.users > > /r$ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Is cryptography where security took the wrong branch?
At 10:18 AM 9/3/03 PDT, D. K. Smetters wrote: > >I find WEP very useful for one thing -- given the habit of >many wireless clients to opportunistically jump onto any >network they happen to find, turning on WEP keeps users >from accidentally "falling" onto networks by mistake. This is much like the locks on cars. They are basically weak, but they prevent you from accidentally opening the wrong car, should an identical one be parked near yours. Sort of like the locks on residential bathrooms that can be opened with a paper clip. Trivially brute forced but useful nonetheless. Or the no-tresspassing signs on barbed wire fences, which are required by law, else the property is crossable. (This is, in my mind, the common-law basis for New Hampshire's "no password = freely usable" law legalizing wardriving.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
OpenSSL *source* to get FIPS 140-2 Level 1 certification
This is termendously exciting. For the first time ever, NIST will be certifying a FIPS 140 implementation based on the source code. As long as the "pedigree" of the source is tracked, and checked at run-time, then applications can claim FIPS certification. For details: http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.tw&prev=/groups%3Fgroup%3Dmailing.openssl.users /r$ -- Rich Salz, Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]