FIPS 140-2 certification

Nathan Bardsley nathanb at clinicomp.com
Sat Sep 28 08:42:16 EST 2002 

Ben Lindstrom wrote:
> Where are theses 'DIPS 140-2' requirements?  If they are anything like the
> other military requirements they are impratical and insane (yes I've had
> some time in the area.  Not my idea of fun =).

This: <http://csrc.nist.gov/cryptval/> is the URL at NIST, I'm just 
getting started at digging into this, and so any answers I might give 
you today are probably not the answers you want.  I don't get the sense 
that the requirements are insane, but yeah, it's certainly possible some 
of them will oppose the OpenBSD/SSH/SSL philosphies.  For the most part, 
it seems that FIPS 140 is (one of) the lowest standards for "sensitive 
but unclassified" information.  And pretty soon, if not already, most 
crypto software used in DoD related projects will need to certified.

> We have a regess/ section in the current tree.
> 
> What is the issue with prng?  You really should be using kernel level
> devices.  prngd and built-in prng should be a last resort.  Besides, I
> bet our prng could easily get certified by NIST.  It is a more sane
> implementation than some of the NIST certified stuff at my work.=)

I was trying to give you guys a broad overview of what I've gathered so 
far, so please don't take anything as a criticism.  I spoke with an 
engineer at one of the labs could do the testing, and that's where that 
list of issues came from -- a very brief conversation about whether or 
not I was crazy to try this.

The self-test requirement is (I think) on module loading, a sort of 
software POST.  The prng issue is (once again, I think) that your prng 
isn't certified.  (=My= issue with prngs is IRIX, and believe me I know 
that it's my problem =).  There is not a list of what the specific 
problems and issues are yet, and much depends on exactly how the "sytem" 
to be certified is defined: what exactly is the relationship between 
OpenSSH and OpenSSL during the testing process?  What platform is the 
testing done on?  What codebase snapshot is used?  What is the 
configuration to be certified?

Thanks,

--Nathan

More information about the openssh-unix-dev mailing list