At 8:15 PM -0500 12/21/06, Saqib Ali wrote:
Assuming that the two products use Internet protocols (as compared to
proprietary protocols):

I don't understand this statement. What do you mean by internet
protocol vs proprietary protocol???

Now seeing what your company does, I can see where you might have that question. An overly-simple but sufficient answer comes from whether or not you need to be able to interoperate with other vendors over a non-secured network. If so, call it an "internet protocol". In your case (local disk encryption), it is fine to be proprietary.

And also we are looking at FDE solutions, so there are no internet
protocols involved in that.

Right.

no. Probably the only thing that could
differentiate the two is if the cheaper one has a crappy random
number generator, the more expensive one will have a good one.

well I think FIPS 140-2 Level 1 ensures more than just a good PRNG.
Even if a public crypto (e.g. AES) is used in a product, there are
many mistakes that can be made during the implementation.

... and essentially all of those mistakes are caught by even mild interop testing. Again, this is not valid in your case. You could completely mis-implement AES and never know it, but a FIPS 140-2 test would find that.

And FIPS
140-2 Level 1 is expected to catch these egregious mistakes.

You can catch such mistakes for a lot less money than it will cost for a FIPS certificate. Assuming that you are using a standard encryption algorithm like AES, there are probably a dozen people on this mailing list who could sanity check your product's implementation of AES (and probably even of key storage) in less than 50 hours of consulting time,

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to