Re: FIPS 140-2
Theo, As am I, which was the point of the post :). Too many people, in my experience, spend time trying to certify just their solution, and don't take the interfacing systems into consideration. What good is certifying one part of a system when you have crap application code? All it means is that your "pwnage" takes place over a FIPS 140-2 certified secure channel. Too many people use that as an excuse to not do security elsewhere. Many of these people are trying to get Microsoft-based security solutions accredited, and use it as a check box on some spreadsheet to convince management that their solution is more secure just because of a certification that gets invalidated every time you patch the system (Patch Tuesday, anyone?), or change the system so that it doesn't match the baseline. I've seen too many people try to spread the FIPS or Common Criteria magic dust over bad code to get it certified. It doesn't matter what OS you run. Bad code is universal, and completely invalidates any security certification of the underlying system. Mitch -Original Message- From: Theo de Raadt [mailto:[EMAIL PROTECTED] Sent: Thursday, March 13, 2008 12:02 AM To: Mitch Parker Cc: Ryan McBride; misc@openbsd.org Subject: Re: FIPS 140-2 > What good is an OpenBSD system running with a FIPS 140-2 certified > cryptographic component handling SSL and SSH (using AES-256) if the > interfacing systems aren't also well-protected, and your applications > running on the system don't have safeguards against malicious usage? You're right -- better go back to Windows running FIPS 140-2 certified components I'm very very cynical about FIPS.
Re: FIPS 140-2
> What good is an OpenBSD system running with a FIPS 140-2 certified > cryptographic component handling SSL and SSH (using AES-256) if the > interfacing systems aren't also well-protected, and your applications > running on the system don't have safeguards against malicious usage? You're right -- better go back to Windows running FIPS 140-2 certified components I'm very very cynical about FIPS.
Re: FIPS 140-2
Ryan, You're right about the entire package needing to be FIPS 140-2 certified. Also, the other key component here is what algorithms/components the system is FIPS 140-2 certified for, such as 3DES, TLS, SSL, RNG, or AES. However, if you're attempting to do C&A on a system, keep in mind that the other important issue is interfacing components. What good is an OpenBSD system running with a FIPS 140-2 certified cryptographic component handling SSL and SSH (using AES-256) if the interfacing systems aren't also well-protected, and your applications running on the system don't have safeguards against malicious usage? It's a nice check box for most auditors, but it doesn't make your entire system more secure, and never will :). Mitch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan McBride Sent: Wednesday, March 12, 2008 10:04 PM To: misc@openbsd.org Subject: Re: FIPS 140-2 On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: > On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: > > > Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where > > applicable? > > No. Furthermore, there are no "FIPS 140-2 certified bits" - it is an > entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
Re: FIPS 140-2
On Thu, Mar 13, 2008 at 12:29:47PM +1100, Damien Miller wrote: > On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: > > > Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where > > applicable? > > No. Furthermore, there are no "FIPS 140-2 certified bits" - it is an > entire package that is certified, you don't get to pick and choose. However, if you can find a FIPS 140-2 certified cryptographic accellerator that OpenSSL will use (and most of those supported by OpenBSD will fall into this category), OpenSSH will be using it as well, and you can then presumably put FIPS 140-2* on your product materials or audit questionaire or what have you. -Ryan * With some fine print disclaimer to ensure that nobody accuses you of claiming FIPS compliance for the whole system, of course.
Re: FIPS 140-2
On Wed, 12 Mar 2008, Ed Ahlsen-Girard wrote: > Does OpenBSD's OpenSSL use the FIPS 140-2 certified bits where > applicable? No. Furthermore, there are no "FIPS 140-2 certified bits" - it is an entire package that is certified, you don't get to pick and choose. -d
