Re: [Fed-Talk] The Joys of FIPS
Re: [Fed-Talk] The Joys of FIPS
- Subject: Re: [Fed-Talk] The Joys of FIPS
- From: "Shawn A. Geddis" <email@hidden>
- Date: Fri, 20 Sep 2013 11:12:55 -0700
On Sep 19, 2013, at 5:23 PM, Todd Heberlein < email@hidden> wrote: Somewhat outside of Apple’s wheelhouse, but lots of emails have come across this list discussing Apple getting FIPS approval. I thought that made this article somewhat interesting. Maybe FIPS will be seen as a drawback now for some Apple markets (like Apple’s 2nd biggest market). :-\
(NOTE: As far as I know, the so-called “backdoor” is still only hypothetical)
(NOTE 2: I added the underline in the quote below)
Stop using NSA-influenced code in our products, RSA tells customers
Officials from RSA Security are advising customers of the company's BSAFE toolkit and Data Protection Manager to stop using a crucial cryptography component in the products that was recently revealed to contain a backdoor engineered by the National Security Agency.
The BSAFE library is used to implement cryptographic functions into products, including at least some versions of the McAfee Firewall Enterprise Control Center, according to NIST certifications.
McAfee representatives issued a statement that confirmed the McAfee Firewall Enterprise Control Center 5.3.1 supported the Dual_EC_DRBG, but only when deployed in federal government or government contractor customer environments, where this FIPS certification has recommended it.
Todd,
What is the connection you are retrying to draw with respect to Apple’s Cryptography and FIPS 140-2 Module Validation ? The modules neither use BSAFE nor Dual_EC_DRBG and none of the source code was influenced by any government agency.
- Shawn ________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise Division
|
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden