First, I want to say this is an impressive library and it is obvious you have put a phenomenal amount of work into it, and I greatly appreciate your willingness to share what you have done!
As for the "Security Policy" document, I will need to make several modifications to support differences in hardware and operating system. This would be easier with an editable version. Thanks for the help. -Philip -----Original Message----- From: Wei Dai [mailto:[EMAIL PROTECTED] Sent: Monday, November 22, 2004 10:32 PM To: [EMAIL PROTECTED] Subject: Re: FIPS 140-2 certification under Linux running on a XScale On Mon, Nov 22, 2004 at 11:31:39AM -0600, Philip Vickery wrote: > 1. It is my understanding the Crypto++ library can be compiled on platforms > that support gcc? Yes. > 2. The FIPS 140-2 certified version of the Crypto++ library is only > available as a DLL on Windows 2K or similar operating systems that can > execute the same binary code? Yes. > 3. How much am I leaving out or not grasping in the following sequence of > steps to get certification: > a. Cross-compile the Crypto++ library with gcc-arm for the XScale > (Allocate a couple of days to glance over the code, and a > day to get it built -- I am familiar with cross-compilation > to the ARM so that is not a problem) > > b. Verify the self-tests are up to date > (A week to read the FIPS tests and compare to the code) I'm updating the tests now for the current ongoing FIPS validation (also Windows DLL), and will check in as soon as the last test is done, which should be any day now. > c. Run the self-tests with the current test data > (If all goes well, a day or two) > > d. Submit for validation and certification > (no idea how long this takes) This takes several months, but then there is wait for NIST to respond to the test lab's report, which may take much longer depending on the queue length at NIST. However at that point your validation will show up as "In Review" on NIST's web page, which may be sufficient to satisfy your customers. > 4. It sounds like a lot of documentation is needed: design, state tables, > assumptions... Can I use the same documentation that Crypto++ Library used? > If so where do I find it? It's available at NIST's web site if you follow the FIPS certificate link from the Crypto++ home page. I can also send you a Word version if you want one to edit from. > 5. What test facility was used? Would it be advantageous for me to use the > same testing facility? We're using CygnaCom. Using the same testing facility may save you time and money, but you should probably get another quote from someone else to compare. > 6. Are there problems with using a static library? (Is this about the > single user, Level 1 stuff?) Last time we tried with a static library but it was rejected by NIST. OpenSSL is trying to go even further and get source code validated, but CygnaCom told us that NIST is likely to reject it as well. The issue apparently is that with a static library there is no well defined cryptographic boundary. > 7. Would I provide hardware with the software embedded in it for the > testing, or just the binary Crypto++ library? I doubt a test facility will > support the OS (Linux on an ARM XScale) that I am using, suggesting that > hardware certification with the software library may be the way to go. You should talk to the testing lab about this, but I don't see why a testing lab would not support your OS. --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.784 / Virus Database: 530 - Release Date: 10/27/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.784 / Virus Database: 530 - Release Date: 10/27/2004
