FIPS 140-2 certification
nathanb at clinicomp.com
Sat Sep 28 08:42:16 EST 2002
Ben Lindstrom wrote:
> Where are theses 'DIPS 140-2' requirements? If they are anything like the
> other military requirements they are impratical and insane (yes I've had
> some time in the area. Not my idea of fun =).
This: <http://csrc.nist.gov/cryptval/> is the URL at NIST, I'm just
getting started at digging into this, and so any answers I might give
you today are probably not the answers you want. I don't get the sense
that the requirements are insane, but yeah, it's certainly possible some
of them will oppose the OpenBSD/SSH/SSL philosphies. For the most part,
it seems that FIPS 140 is (one of) the lowest standards for "sensitive
but unclassified" information. And pretty soon, if not already, most
crypto software used in DoD related projects will need to certified.
> We have a regess/ section in the current tree.
> What is the issue with prng? You really should be using kernel level
> devices. prngd and built-in prng should be a last resort. Besides, I
> bet our prng could easily get certified by NIST. It is a more sane
> implementation than some of the NIST certified stuff at my work.=)
I was trying to give you guys a broad overview of what I've gathered so
far, so please don't take anything as a criticism. I spoke with an
engineer at one of the labs could do the testing, and that's where that
list of issues came from -- a very brief conversation about whether or
not I was crazy to try this.
The self-test requirement is (I think) on module loading, a sort of
software POST. The prng issue is (once again, I think) that your prng
isn't certified. (=My= issue with prngs is IRIX, and believe me I know
that it's my problem =). There is not a list of what the specific
problems and issues are yet, and much depends on exactly how the "sytem"
to be certified is defined: what exactly is the relationship between
OpenSSH and OpenSSL during the testing process? What platform is the
testing done on? What codebase snapshot is used? What is the
configuration to be certified?
More information about the openssh-unix-dev