Re: [Fed-Talk] Re: FIPS 140-2 discussion...
Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion...
- From: Paul Nelson <email@hidden>
- Date: Fri, 15 May 2009 14:12:22 -0500
- Thread-topic: [Fed-Talk] Re: FIPS 140-2 discussion...
Shawn, in your work on FIPS 140, are you including testing of the crypto
modules that are part of the MIT Kerberos framework as well?
Paul
> From: "Timothy J. Miller" <email@hidden>
> Date: Fri, 15 May 2009 13:38:47 -0500
> To: Paul Nelson <email@hidden>
> Cc: Amanda Walker <email@hidden>, Apple Fed Talk
> <email@hidden>
> Subject: Re: [Fed-Talk] Re: FIPS 140-2 discussion...
>
> Paul Nelson wrote:
>> While you are discussing FIPS 140-2, perhaps you can comment on it being
>> included in FIPS 201 (PIV).
>>
>> FIPS 140-2 certified crypto modules are called out in FIPS 201 section B.4.
>> What is the scope of a "cryptographic module"?
>
> FIPS 140-2, Sec 4.1:
>
> """
> A cryptographic module shall be a set of hardware, software, firmware,
> or some combination thereof that implements cryptographic functions or
> processes, including cryptographic algorithms and, optionally, key
> generation, and is contained within a defined cryptographic boundary. A
> cryptographic module shall implement at least one Approved security
> function used in an Approved mode of operation.
> """
>
> Upshot: If you have code that performs a cryptographic operation
> (minimally, implements a cipher or a hash), then you need to be certified.
>
>> Does this include just the
>> API/implementation of a "library" on a Macintosh?
>
> The module only includes the code that actually performs the security
> functions (i.e., the crypto). If your library *implements* crypto, then
> yes. If your library *calls something else* for crypto, then *your*
> library doesn't but the *called* library does.
>
>> Section B.3 table B-1
>> doesn't specify a general purpose desktop computer that uses a PIV. It
>> calls out the PIV's ICC (chip), reader, and card issuance and maintenance
>> systems.
>
> That's because these are the only components *of the PIV system* doing
> crypto (well, except the reader, but note that the reader is only
> required to be PC/SC validated). The PIV ICC is obvious. The card
> issuance/maintenance system is included because it too performs crypto
> operations; most notably, signing data objects on the card and
> generating encryption keys (encryption keys are escrowed and must be
> generated off-card).
>
>> Can you comment on what fed users will need to do to use PIV cards with the
>> Mac?
>
> ... Install A PIV tokend that works? :)
>
> That's not the complete nd of the story, however. Since the OS has
> crypto capabilities independent of your code, the OS needs to show FIPS
> 140 certification too (or, conversely, it needs to show that it's
> crypto can be disabled--no crypto capabilities, no FIPS 140 certificate
> needed) but that's Apple's problem. In addition, Common Criteria
> certification is supposed to be required; that's Apple's problem too but
> I don't know status. Then there's certification and accreditation that
> needs to be accomplished; that's a site/org/agency issue.
>
> -- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden