Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
- Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion... Apple's CSP certification
- From: Peter Link <email@hidden>
- Date: Fri, 15 May 2009 07:59:28 -0700
It would also be nice if NIST would get Apple's Cryptographic Service
Provider (CSP) module passed the IUT stage. For those sites that
depend on the formal certification to get their DAA to accept the
risk, this certification is critical. (any news Shawn?)
On May 15, 2009, at 7:47 AM, Amanda Walker wrote:
On Fri, May 15, 2009 at 10:17 AM, Shawn A. Geddis <email@hidden>
wrote:
I strongly agree with Amanda / Tim on the FIPS 140-2 Conformance
Validation
comments. The process and its understanding does not lend itself
well to
folks who do not spend the time getting their fingers dirty. The
unfortunate result is that it gets forced as a checkbox item without
customers spending much time with the implementation approach.
Most all
products are using the same well known algorithms. How they differ
the most
is their protection and management of the keys. Not all products are
created equal.
Indeed. Defeating a security product via cryptanalysis is extremely
rare--because it's usually unnecessary. Key distribution and handling
is very, very hard to get right. This is why software-only products
can only get to level 2 compliance, for example--to comply with 3 or
4, you need a hardware crypto module that keeps the keys out of the
main machine's hands and zeros them at any sign of tampering,
specifically to guard against hardware attacks (like the "freeze the
RAM" stuff that made the news last year).
Speaking of such things, it sure would be nice to have a hardened
ExpressCard for my MacBook Pro that I could stick the equivalent of a
KSD-64 into to unlock my machine :-).
--Amanda
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Peter Link
Cyber Security Analyst
Cyber Security Program
Lawrence Livermore National Laboratory
PO Box 808, L-315
Livermore, CA 94550
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden