Re: [Fed-Talk] BlueTooth and FIPS (was: iOS 6 STIG)
Re: [Fed-Talk] BlueTooth and FIPS (was: iOS 6 STIG)
- Subject: Re: [Fed-Talk] BlueTooth and FIPS (was: iOS 6 STIG)
- From: Jeffrey Walton <email@hidden>
- Date: Wed, 31 Oct 2012 16:05:21 -0400
> So could bluetooth crypto be certified NIST FIPS 140-2 compliant? Sure. Is
> any implementation?
Ah, here's where the confusion lies (for me). BlueTooth proper is a
set of specifications and implemented in hardware. Those
specifications include frequencies, spectrum use, data rates,
pairings, and even some public key stuff. From my minimal reading into
pairings and public key, the "specification proper" will never be able
to achieve FIPS. Its kind of like pondering if GSM or CDMA can be
FIPS.
Applications running over BlueTooth are a different story. For those
applications, BlueTooth is just another media like Cellular, Ethernet
and WiFi.
Off topic: I just got an Ubertooth One
(http://ubertooth.sourceforge.net/hardware/one/). Its open source
hardware and allows you to do all kinds of interesting things over
BlueTooth. A few phones I have tested are not as resilient as I
expected. As Chum Lee says, "Awesome".
Jeff
On Wed, Oct 31, 2012 at 3:25 PM, William Cerniuk <email@hidden> wrote:
> Remember, we are talking about certification of cryptology, not COTS
> products. NIST (chime in here please if want) is not certifying the apps or
> the technology that uses the cryptology, just the crypto module that
> implements the cryptology. Think of the certification process as directed at
> a chip with inputs and outputs, a black box. NIST certified to FIPS 140-2
> is for the inside of the black box. The 'chip' can be hardware, firmware or
> software.
>
> BlueTooth has had NIST FIPS 140-2 compliant crypto for a long time with AES.
> Note that I said "compliant" and not "certified compliant". Huge
> difference. NIST provides the diploma (certification). Like having a
> degree, you can take all the classes but if you don't take the tests, you
> don't get your degree.
>
> So could bluetooth crypto be certified NIST FIPS 140-2 compliant? Sure. Is
> any implementation? Not aware of one, have not looked today :-).
>
> Now here is the kicker. (Shawn, correct me if I'm wrong). With the new
> comprehensive and consolidated crypto system under Lion & iOS 6, BlueTooth
> on either iOS or Lion may actually be achieving it's certification right
> now. Shawn could answer that off the top of his head I wager. (and I
> suspect the answer is "the crypto module that bluetooth uses is included"
> but don't quote me.)
>
> --
> R/Wm.
>
> Ref
> Apple's current status on certification of Mac OS X and iOS Crypto
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
> NIST Cryptographic Module Certification Program
> http://csrc.nist.gov/groups/STM/cmvp/index.html
> NIST Stages of Certification Defined
> http://csrc.nist.gov/groups/STM/cmvp/inprocess.html
>
>
> On Oct 31, 2012, at 2:58 PM, Jeffrey Walton <email@hidden> wrote:
>
> Hi William,
>
> On Wed, Oct 31, 2012 at 1:17 PM, William Cerniuk <email@hidden> wrote:
>
> This should really address the three modes of tethering:
> 1 - USB
> 2 - BlueTooth
> 3 - Hotspot
>
> but still contradictory concur. 2.13 presumes bluetooth perhaps (?) but but
> ignores the issue that BT crypto on iOS is not NIST certified (for the
> moment) encryption.
>
> Can BlueTooth ever be FIPS certified? BT pairing does not meet
> security levels we have in customary key exchange/agreement. In
> addition, BT 2.1 added public key (IIRC), but its non-authenticated.
>
> Forgive my ignorance. I generally keep BlueTooth shutdown.
>
> [SNIP]
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden