Re: Full Disk Encryption solutions selected for US Government use
At 02:11 +1300 09.10.2007, Peter Gutmann wrote: But if you build a FDE product with it you've got to get the entire product certified, not just the crypto component. I don't believe this to be the case. FIPS 140(-2) is about validating cryptographic implementations. It is not about certifying entire products that contain ample functionality well outside the scope of cryptographic evaluation. That's more of a Common Criteria thing. That said, one problem with selling FIPSed products to USG is that some auditors are sticklers for version numbers. They can require proof/repwarrant that the FIPSed version of the crypto is actually in use. Audit appeasement requirements frequently cause considerable annoyance to both vendors and the end user. At 14:04 +0100 08.10.2007, Ben Laurie wrote: ? OpenSSL has FIPS 140. OpenSSL FIPS Object Module 1.1.1 has FIPS 140-2 when running on SUSE 9.0 and HPUX 11i, according to http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#733 In the context of a conversation about whether something formally has FIPS validation or not, the details are important. Back to the original question... At 11:27 + 08.10.2007, Steven M. Bellovin wrote: Out of curiousity, are any open source FDE products being evaluated? As far as I recall, none such were submitted for consideration. Bear in mind that the process isn't just about software, but that a commercial entity submits both a product that meets the list of capability checkboxes, and that the entity itself is viable and can provide support and the like. s. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: German Government Skype interception methods leaked...
At 10:24 -0500 26.01.2008, Perry E. Metzger wrote: Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press[...] I've skimmed some of the coverage and I can't help but think that this is being hyped in large part because Skype is mentioned. What's being described seems to require running DigiTask's code on an endpoint. If you're installed on the machine anyway, rather than grabbing packets on the wire, all you'd need to do is get the data -- eg by inserting yourself into standard OS audio and HID APIs -- before Skype's code processes it. Such an approach would never have to deal with encrypted bits, and really has nothing to do with Skype at all. NB also that unless they've implemented specific countermeasures in the mean time, Skype remains vulnerable to traffic analysis, cf. http://arstechnica.com/news.ars/post/20060824-7582.html. s. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Skein announced
The Skein team has announced its submission to the NIST hash competition: http://www.schneier.com/skein.html s. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Judge orders defendant to decrypt PGP-protected laptop
At 13:08 -0500 03.03.2009, Adam Fields wrote: When compelled to give out your password Unless I'm misunderstanding the ruling, Boucher is not being compelled to produce his passphrase (like he could under RIPA Section 49 in the UK), but he is being told to produce the unencrypted contents of the drive. Assuming I'm interpreting the ruling correctly, this seems little different than a judge approving a search warrant for a residence, whose execution could produce incriminating evidence that is usable in court. There is a chasm of difference between being compelled to produce keys, which could be subsequently reused with other encrypted material, and being compelled to produce specific unencrypted data, which is much more narrowly scoped and therefore less intrusive. s. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: UK Prime Minister apologizes for Alan Turing's mistreatment.
At 21:33 -0400 10.09.2009, Perry E. Metzger wrote: Not strictly about crypto, but certainly about a very famous cryptanalyst. http://news.bbc.co.uk/2/hi/technology/8249792.stm The actual statement is here: http://www.number10.gov.uk/Page20571 s. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com