Re: [Fed-Talk] FIPS 140-2
Re: [Fed-Talk] FIPS 140-2
- Subject: Re: [Fed-Talk] FIPS 140-2
- From: "Shawn A. Geddis" <email@hidden>
- Date: Thu, 16 Aug 2007 12:50:11 -0400
William,
Might be good to rethink this...
I would suggest that Apple may consider throwing away their crypto
module and license PGP's which is already certified. On the surface
of it, this would:
Solid and secure products are not built on the premise of "throwing
away" integrated crypto modules in an effort to meet a mandate in a
particular market segment. Vendors have always enhanced their product
or transitioned to other technologies when it makes sense technically
and from a security sense. This is not one of those.
1) adhere to the "open standards open source" adoption wave for Mac
OS X
CDSA is an Open Source / Open Standard solution maintained by the Open
Group. Implementations are available for just about every platform -
including Windows.
CDSA: http://www.opengroup.org/security/l2-cdsa.htm
http://sourceforge.net/projects/cdsa/
Operating System : All 32-bit MS Windows (95/98/NT/2000/XP), All
POSIX (Linux/BSD/UNIX-like OSes)
2) achieve FIPS 140-2 certification over night (the module is
certified, not the implementation)
Correct Implementation of cryptography within an Operating System does
not rely on the approach of bolting something on after the fact. Any
vendor can attest to the fact that even when your product meets all of
the FIPS 140 requirements, it is not an "over night" affair. Last
confirmation given to me was the the NIST/CMVP queue had a backup in
the neighborhood of 8-9 months. That means Too many modules in the
queue and too few resources at NIST/CMVP. Improving resources for
them would significantly improve the time it takes in this process for
everyone involved.
3) alleviate the cost and development burden of AES in the OS.
What are the perceived cost and development burdens for AES on the
OS ? AES is included in the Apple CSP module within CDSA on Mac OS X
and Apple was the first to provide AES-128 within the OS -- even a few
months before NIST gave their formal stamp of approval on the AES
Algorithm. AES-128 was fully exposed since 10.3 and AES-256 is
coming. Not sure I caught the intent of this one.
/* Personal Comments */
Everyone raise their hand that has all of their Servers and Desktops
at their agency running in FIPS Mode ? :-)
Relax, you all know I know the requirements for FIPS 140-2 and related
security mandates and Apple is doing the right thing, but it is always
interesting and enlightening to learn how many agencies and how many
systems are actually not running in FIPS Mode. Ask your favorite NIST
IT contact whether their system is running in FIPS Mode and you may
get an interesting response.
/* Personal Comments */
Apple is doing the right thing and continuing to develop/enhance
security services within the Operating System (where it should be) and
have been aggressively working towards the FIPS 140-2 Conformance
Validation. I know this has taken longer than many of you believe it
should take, but be assured that we do know and understand the
requirements you are under and will notify everyone when the status of
our FIPS 140-2 Conformance Validation status changes.
Thanks for everyone's continued support of the platform!
-Shawn
On May 14, 2007, at 7:33 AM, Wm. Cerniuk wrote:
hard sell until it's actually validated, since it requires the DAA
to sign off on an exception.
Very true... and the DAA has to think "is this worth the potential
personal embarrassment or possibly a career?" Were I the DAA, the
answer would be "no".
I started inquiring July 2004 about FIPS certification for
FileVault. There seems to be no FIPS timeline, only the state of
affairs that Shawn posted earlier to the list. Shawn has been as
helpful possible, but the only thing that matters is Apple's crypto
module being listed as certified. Anything else and we are only
sorta-pregnant.
I would suggest that Apple may consider throwing away their crypto
module and license PGP's which is already certified. On the surface
of it, this would:
1) adhere to the "open standards open source" adoption wave for Mac
OS X
2) achieve FIPS 140-2 certification over night (the module is
certified, not the implementation)
3) alleviate the cost and development burden of AES in the OS.
There would be some kind of licensing agreement as PGP is open
source but not public domain. It is not like Apple has not done that
before with other products (fax) ... and then substituted (fax)
their own (fax) implementation in later.
Very Respectfully,
Wm. Cerniuk
Project Manager / Sr. Systems Architect
Veterans Affairs
877.529.5730 (toll free)
Time is Short, and the Water Rises
On May 8, 2007, at 9:33 AM, Amanda Walker wrote:
On May 7, 2007, at 4:53 PM, Wm.Cerniuk wrote:
I received the marching orders on this last friday in the presence
of the director of enterprise architecture who was impressed with
the operation of FileVault but... there is that OMB business...
Imagine if we lost a Mac and the news started hounding that while
it was encrypted it was not encrypted to government specification.
This was the same issue I ran into working on stuff for the Army--
regardless of the technical merits, AR 25-2 has no "or equivalent"
clause: "All ISs [information systems] will employ protection
mechanisms that satisfy criteria for basic, medium, or high levels
of robustness per DODI 8500.2 and Federal Information Processing
Standard (FIPS) 140–2." Many DAAs interpret this as "all systems
must employ a FIPS 140-2 validated solution." FileVault is a hard
sell until it's actually validated, since it requires the DAA to
sign off on an exception.
Amanda Walker
email@hidden
- Shawn
___________________________________________
Shawn Geddis T (703) 264-5103
Security Consulting Engineer C (703) 623-9329
Apple Enterprise Sales email@hidden
Apple, Inc.
2350 Corporate Park Drive 6th floor
Herndon VA 20171
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden