Re: [Fed-Talk] Re: FIPS 140-2 discussion...
Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 15 May 2009 10:00:41 -0500
Amanda Walker wrote:
Indeed. Defeating a security product via cryptanalysis is extremely
rare--because it's usually unnecessary. Key distribution and handling
is very, very hard to get right. This is why software-only products
can only get to level 2 compliance, for example
Software alone only gets level 1. Software only gets level 2 when it's
restricted to running on specific hardware:
"""
Security Level 2 allows the software and firmware components of a
cryptographic module to be executed on a general purpose computing
system using an operating system that
• meets the functional requirements specified in the Common Criteria
(CC) Protection Profiles (PPs) listed in Annex B and
• is evaluated at the CC evaluation assurance level EAL2 (or higher).
An equivalent evaluated trusted operating system may be used. A trusted
operating system provides a level of trust so that cryptographic modules
executing on general purpose computing platforms are comparable to
cryptographic modules implemented using dedicated hardware systems.
"""
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden