Re: How important is FIPS 140-2 Level 1 cert?
At 11:25 AM -0500 12/21/06, Saqib Ali wrote: I would like to know how much weight people usually give to the FIPS 140-2 Level 1 certification. US federal agencies are supposed to require that certification for any system they buy that uses crypto. Sometimes, US state agencies require it as well. Sometimes, clueless corporations require it because it has the word certification in it and, well, if it's good enough for the feds, it should be good enough for everyone. If two products have exactly same feature set, but one is FIPS 140-2 Level 1 certified but cost twice. Would you go for it, considering the Level 1 is the lowest. Assuming that the two products use Internet protocols (as compared to proprietary protocols): no. Probably the only thing that could differentiate the two is if the cheaper one has a crappy random number generator, the more expensive one will have a good one. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How important is FIPS 140-2 Level 1 cert?
Assuming that the two products use Internet protocols (as compared to proprietary protocols): I don't understand this statement. What do you mean by internet protocol vs proprietary protocol??? And also we are looking at FDE solutions, so there are no internet protocols involved in that. no. Probably the only thing that could differentiate the two is if the cheaper one has a crappy random number generator, the more expensive one will have a good one. well I think FIPS 140-2 Level 1 ensures more than just a good PRNG. Even if a public crypto (e.g. AES) is used in a product, there are many mistakes that can be made during the implementation. And FIPS 140-2 Level 1 is expected to catch these egregious mistakes. saqib http://www.full-disk-encryption.net - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How important is FIPS 140-2 Level 1 cert?
At 8:15 PM -0500 12/21/06, Saqib Ali wrote: Assuming that the two products use Internet protocols (as compared to proprietary protocols): I don't understand this statement. What do you mean by internet protocol vs proprietary protocol??? Now seeing what your company does, I can see where you might have that question. An overly-simple but sufficient answer comes from whether or not you need to be able to interoperate with other vendors over a non-secured network. If so, call it an internet protocol. In your case (local disk encryption), it is fine to be proprietary. And also we are looking at FDE solutions, so there are no internet protocols involved in that. Right. no. Probably the only thing that could differentiate the two is if the cheaper one has a crappy random number generator, the more expensive one will have a good one. well I think FIPS 140-2 Level 1 ensures more than just a good PRNG. Even if a public crypto (e.g. AES) is used in a product, there are many mistakes that can be made during the implementation. ... and essentially all of those mistakes are caught by even mild interop testing. Again, this is not valid in your case. You could completely mis-implement AES and never know it, but a FIPS 140-2 test would find that. And FIPS 140-2 Level 1 is expected to catch these egregious mistakes. You can catch such mistakes for a lot less money than it will cost for a FIPS certificate. Assuming that you are using a standard encryption algorithm like AES, there are probably a dozen people on this mailing list who could sanity check your product's implementation of AES (and probably even of key storage) in less than 50 hours of consulting time, --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gang uses crypto to hide identity theft databases
Jim Gellman [EMAIL PROTECTED] writes: Well this just sucks if you ask me. According to the Crown Prosecution Service (CPS), which confirmed that Kostap had activated the encryption after being arrested, it would have taken 400 computers twelve years to crack the code. Scales linearly, right? 4,800 computers'll get it in a year? I don't think you can even apply that much analysis to it. How exactly did they come up with such a figure in the first place? 400 *what* computers? TRS-80's? Cray XT4's? Does the encryption software come with a disclaimer saying if you forget your password, it'll take 400 computers 12 years to recover your data? With that level of CPU power it sounds like it'd something at the level of brute-forcing a 56-bit DES key (using a software- only approach), which sounds like an odd algorithm to use if it's current crypto software. It sounds more like a quote for the media (or, more likely, misreporting) than any real estimate of the effort involved. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: How important is FIPS 140-2 Level 1 cert?
[I was asked to forward this anonymously. --Perry] From: [Name Withheld] To: cryptography@metzdowd.com Subject: Re: How important is FIPS 140-2 Level 1 cert? Paul Hoffman [EMAIL PROTECTED] wrote: At 11:25 AM -0500 12/21/06, Saqib Ali wrote: If two products have exactly same feature set, but one is FIPS 140-2 Level 1 certified but cost twice. Would you go for it, considering the Level 1 is the lowest. Assuming that the two products use Internet protocols (as compared to proprietary protocols): no. Probably the only thing that could differentiate the two is if the cheaper one has a crappy random number generator, the more expensive one will have a good one. Actually you cant even guarantee that because the FIPS 140 requirements for the ANSI X9.17/X9.31 PRNG include a pile of oddball things that made sense for the original X9.17 use (where it was assumed the only source of entropy was a DES3 key embedded in secure hardware) but are severe restrictions on current implementations. As a result a FIPS 140- certified key generator will be worse than a well-designed non-FIPS-140 one because the FIPS requirements prevent you from doing several things that would improve the functioning like injecting extra entropy into the generator besides the DES3 key. In addition since no two eval labs can agree on exactly what is and isnt OK here its pretty much a crap-shoot as to what you can get through. Ive heard stories from different vendors of Lab B disallowing something that had already been certified by Lab A in a previous pass through the FIPS process. In terms of its value, particularly for level 1, what itll give you is (1) protection from egregiously bad implementations (which a quick source code check will do as well) and (2) the ability to sell to US federal agencies. Beyond that I concur that 10 minutes of interop testing with the standardised protocol of your choice (e.g. TLS, S/MIME, IPsec) will give you more than FIPS 140 will since a run of TLS tests much more of the crypto than FIPS 140 does. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: gang uses crypto to hide identity theft databases
I'm curious as to why the cops didn't just pull the plugs right away. It would probably take a while (minutes, hours?) to encrypt any significant amount of data. Not to mention, where is the master key? The guy couldn't have jumped up and typed in a pass phrase to generate it in handcuffs? Even if it got erased, it's image could be recovered from a disk or RAM. My understanding is that even tamperproof cards one can get keys from them with the right equipment from the right folks. - Alex At 02:51 AM 12/23/2006 +1300, Peter Gutmann wrote: Jim Gellman [EMAIL PROTECTED] writes: Well this just sucks if you ask me. According to the Crown Prosecution Service (CPS), which confirmed that Kostap had activated the encryption after being arrested, it would have taken 400 computers twelve years to crack the code. Scales linearly, right? 4,800 computers'll get it in a year? I don't think you can even apply that much analysis to it. How exactly did they come up with such a figure in the first place? 400 *what* computers? TRS-80's? Cray XT4's? Does the encryption software come with a disclaimer saying if you forget your password, it'll take 400 computers 12 years to recover your data? With that level of CPU power it sounds like it'd something at the level of brute-forcing a 56-bit DES key (using a software- only approach), which sounds like an odd algorithm to use if it's current crypto software. It sounds more like a quote for the media (or, more likely, misreporting) than any real estimate of the effort involved. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] -- Alex Alten [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
