William, I know you'll be reading Shawn's response but your initial email announced information that was several months old. The website you found was simply a holding spot for tracking the approval status of encryption algorithms. That is important information to know. As for the time it takes for FIPS certification, that all depends on how well prepared the company is in delivering information to the Lab doing the testing. You can use statistics to come up with a mean approval time but it also has a lot to do with the original request. Requests for approval of very simple mechanisms can go faster while something like Apple (OSX) FIPS certification is a much more involved process because the number of algorithms used is much more.The original Apple FIPS certification included more than a dozen (can't remember the exact number) algorithms combined into one huge module while, again if I remember correctly, the iPhone module is much smaller and uses far fewer encryption algorithms, therefore, the hope is it will receive FIPS certification quicker. Of course, we're talking about a government process so all bets are off......
On Oct 10, 2011, at 8:01 AM, Mr. William G. Cerniuk wrote: Not clear as to the intent of providing this information as algorithms are not products which can be used in the real world once certified. Cryptographic modules use these algorithms … but until the module using the algorithm is certified, the knowledge that the 'idea' or algorithm being used in the module is of dubious value. This is like certifying the tread design on a tire while the tire remains uncertified and unusable until the tire itself certified for use on the highway.
For racing fans, there may be value. It perhaps announces that the certification of the cryptographic module is closer to the potential finish line. Looking at the time between when an algorithm is certified to when the containing module is certified gives an idea of the range of time it takes to get the module (tire) on the 'information super highway' once the algorithm (tread design) is certified.
For example, see on the algorithm certification page #1400, "Apple FIPS Cryptographic Module Version 1.0" The algorithm was certified 6/14/2010. Then cross reference the FIPS certification #1514 for "Apple FIPS Cryptographic Module Version 1.0" certified on 03/09/2011. (links below) This is roughly 9 months from certification of the algorithm to certification of the module. The period between algorithm cert to module cert seems to be between 5 months to 11 months based upon a random sampling.
Random Samples - PGP, algorithm cert #1170 on 9/15/2009, module cert #1325 on 06/22/2010, 9 months.
- Kingston Memory, algorithm cert #1191 on 10/9/2009, module cert # 1306 on 06/01/2010, 9 months.
- G4S Technology algorithm cert # 1314 on 4/13/2010, module cert # 1407 on 09/15/2010, 5 months.
- SafeNet algorithm cert #1315 on 4/13/2010, module cert #1498 on 04/01/2011, 11 months.
- Patrick Townsend Security Solutions algorithm cert #1338 on 5/10/2010, module cert #1449 on 11/15/2010, 7 months.
Algorithm Certification Crytpographic Module Certification (the 140-2 cert)
Given that it is published by NIST leads one to believe that the algorithm certification list is an authoritative answer to something… just not clear as to what.
(my 13 yr old daughter, who was interested for some strange reason, offers it is for 'punking' people… government humor? :-D )
Best, Wm. Cerniuk
On Oct 7, 2011, at 10:13 PM, Rowland, Carolyn D. wrote:
You are correct. Algorithm validation and cryptographic module validation are separate. To be "FIIPS 140-2 validated", it must be the cryptographic module that is certified.
So we wait a while longer...
Carolyn (I'm not associated with the cryptographic module validation program at NIST)
--
Carolyn Rowland
Computer Scientist, NIST
Not so fast. These algorithms were validated on 6/7/2011. This doesn't mean they have FIPS approval, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf http://csrc.nist.gov/groups/STM/cmvp/inprocess.html. Shawn might expand on this but from what I remember him telling me, the algorithms are the first step. The next step is incorporating all of them into the iOS package and getting approval for everything.
If you review the link I sent, you'll see that iPad and iPhone FIPS cryptographic module has been rejoined by Apple FIPS cryptographic module. Hopefully this means the new module for Lion has been submitted for approval.
On Oct 7, 2011, at 5:53 PM, William Cerniuk wrote:
Peter Link Cyber Security Analyst Cyber Security Program Lawrence Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550 email@hidden
Peter Link Cyber Security Analyst Cyber Security Program Lawrence Livermore National Laboratory PO Box 808, L-315 Livermore, CA 94550
The contents of this message are mine personally and do not reflect the views or position of the U.S. Department of Energy, Federal Government, National Nuclear Security Administration, Lawrence Livermore National Security, or Lawrence Livermore National Laboratory.
|