Re: [Fed-Talk] Re: FIPS 140-2 discussion...
Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- From: "Timothy J. Miller" <email@hidden>
- Date: Fri, 15 May 2009 13:38:47 -0500
Paul Nelson wrote:
While you are discussing FIPS 140-2, perhaps you can comment on it being
included in FIPS 201 (PIV).
FIPS 140-2 certified crypto modules are called out in FIPS 201 section B.4.
What is the scope of a "cryptographic module"?
FIPS 140-2, Sec 4.1:
"""
A cryptographic module shall be a set of hardware, software, firmware,
or some combination thereof that implements cryptographic functions or
processes, including cryptographic algorithms and, optionally, key
generation, and is contained within a defined cryptographic boundary. A
cryptographic module shall implement at least one Approved security
function used in an Approved mode of operation.
"""
Upshot: If you have code that performs a cryptographic operation
(minimally, implements a cipher or a hash), then you need to be certified.
Does this include just the
API/implementation of a "library" on a Macintosh?
The module only includes the code that actually performs the security
functions (i.e., the crypto). If your library *implements* crypto, then
yes. If your library *calls something else* for crypto, then *your*
library doesn't but the *called* library does.
Section B.3 table B-1
doesn't specify a general purpose desktop computer that uses a PIV. It
calls out the PIV's ICC (chip), reader, and card issuance and maintenance
systems.
That's because these are the only components *of the PIV system* doing
crypto (well, except the reader, but note that the reader is only
required to be PC/SC validated). The PIV ICC is obvious. The card
issuance/maintenance system is included because it too performs crypto
operations; most notably, signing data objects on the card and
generating encryption keys (encryption keys are escrowed and must be
generated off-card).
Can you comment on what fed users will need to do to use PIV cards with the
Mac?
... Install A PIV tokend that works? :)
That's not the complete nd of the story, however. Since the OS has
crypto capabilities independent of your code, the OS needs to show FIPS
140 certification too (or, conversely, it needs to show that it's
crypto can be disabled--no crypto capabilities, no FIPS 140 certificate
needed) but that's Apple's problem. In addition, Common Criteria
certification is supposed to be required; that's Apple's problem too but
I don't know status. Then there's certification and accreditation that
needs to be accomplished; that's a site/org/agency issue.
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden