Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-15 Thread Thor Lancelot Simon
On Mon, Sep 15, 2003 at 12:57:55PM -0400, Wei Dai wrote:
 
 I think I may have found such a written guidance myself. It's guidance 
 G.5, dated 8/6/2003, in the latest Implementation Guidance for FIPS 
 140-2 on NIST's web site: 
 http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf. This section seems 
 especially relevant:
 
 For level 1 Operational Environment, the software cryptographic module 
 will remain compliant with the FIPS 140-2 validation when operating on 
 any general purpose computer (GPC) provided that: 
 
 a. the GPC uses the specified single user operating system/mode 
 specified on the validation certificate, or another compatible single 
 user operating system, and 
 
 b. the source code of the software cryptographic module does not 
 require modification prior to recompilation to allow porting to another 
 compatible single user operating system.
 (end quote)
 
 The key word here must be recompilation. The language in an earlier 

Unfortunately, another key set of words is single user.  This would seem
to significantly limit the value of a software-only certification...


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-09 Thread Peter Gutmann
Rich Salz [EMAIL PROTECTED] writes:

Sure, that's why it's *the first.*  They have never done this before, and it
is very different to how they (or their Ft Meade experts) have done things
before.  I suppose one could argue that they're doing this for Level 1 to
increase the industry demand for Level 2, but I'm not that paranoid.  I think
they finally get it.

I think this uniquely broad certification, if permitted, would be mostly a
sign that the politicians have finally won out over the certification purists.
Let me explain... it's been known for a long time (at least from talking to
evaluators, I don't know if NIST will admit to it) that there's large-scale
use of unevaluated crypto going on, with the FIPS eval requirement being
ignored by USG agencies, contractors, etc etc whenever it gets in the way of
them getting their job done.  If NIST allow this extremely broad
certification, it'd be a sign that they're following the Calvin and Hobbes
recipe for success: The secret to [success] is to lower your expectations to
the point where they're already met.  In other words the unevaluated crypto
problem (or a major part of it) suddenly goes away, and it's possible to
report that the certification effort has been wonderfully successful, because
a large portion of the noncompliant usage is (at least on paper) magically
made compliant overnight.

The only potential downside to this is that a pile of vendors who previously
got a very narrowly-interpreted certification will presumably be queueing up
to do the I'll have what she's having thing as soon as an open-ended
certification is issued.

As with others who have commented on this, I'm going to believe this when I
see it.

Peter.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Tolga Acar
On a second thought, that there is no key management algorithm 
certified, how would one set up a SSL connection in FIPS mode?

It seems to me that, it is not possible to have a FIPS 140 certified 
SSL/TLS session using the OpenSSL's certification.

- Tolga

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-08 Thread Thor Lancelot Simon
On Mon, Sep 08, 2003 at 10:49:02AM -0600, Tolga Acar wrote:
 On a second thought, that there is no key management algorithm 
 certified, how would one set up a SSL connection in FIPS mode?
 
 It seems to me that, it is not possible to have a FIPS 140 certified 
 SSL/TLS session using the OpenSSL's certification.

SSL's not certifiable, period.

TLS has been held to be certifiable, and products using TLS have been
certified.  However, it's necessary to disable any use of MD5 in the
certificate validation path.  When I had a version of OpenSSL certified
for use in a product at my former employer, I had to whack the OpenSSL
source to throw an error if in FIPS mode and any part of the certificate
validation path called the MD5 functions.  Perhaps this has been done
in the version currently undergoing certification.  You'll also need
certificates that use SHA1 as the signing algorithm, which some public
CAs cannot provide (though most can, and will if the certificate request
itself uses SHA1 as the signing algorithm).

The use of MD5 in the TLS protocol itself is okay, because it is always
used in combination with SHA1 in the PRF.  We got explicit guidance from
NIST on this issue.

Thor

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Wei Dai
On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
 You are correct, I just saw Crypto++ in the list of FIPS 140 validated 
 modules:
 http://csrc.nist.gov/cryptval/140-1/140val-all.htm
 It is the latest entry, added today.
 Congratulations to Wei Dai!

Thanks! Also thanks to Groove Networks (the company I work for) for 
spending the money to do the validation.

 OpenSSL`s *source code* being evaluated remains exiting.

If OpenSSL source code gets validated, I'm going to be very surprised. 
NIST told us in no uncertain terms that only compiled executable code 
could be validated. In fact they wouldn't even validate Crypto++ as a 
static library despite an earlier verbal agreement that a static 
library was ok. It had to be turned into a DLL at the last moment (i.e. 
during the review phase).

(We wanted to avoid making a DLL from Crypto++ since it has so many 
algorithms. With a static library the linker would only bring in the 
algorithms you use, but a DLL has to contain a pre-selected set of 
algorithms. I ended up putting only FIPS Approved algorithms in the 
DLL, and made a second static library that contains only 
non-Approved algorithms, so that both could be used together.)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Tolga Acar
Joshua Hill wrote:

On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:
 

It is the first *source code* certification.
   

The ability to do this runs counter to my understanding of FIPS 140-2.

. and to experiences with the previous FIPS 140-1 certifications I was 
involved in, including a fairly recent communication from NIST that 
defines a crypto module: it is not a statically linked library, and 
that it ought to be an executable or a shared library (so,dll).

Second, it is unclear to me what would be tested during operational
testing.  The source code can't itself be a module, because the source
code doesn't do anything until it is compiled and run. FIPS 140-2
currently only allows for fully functional units to be modules; you'll
note, for instance, that FIPS certs for software modules are listed as
a multi-chip standalone embodiment, for instance.  NIST was talking
about producing documents that would support a true software only
embodiment, but that initiative seems to have stalled with the change
of directors of the CMVP (the NIST group that issues FIPS 140-2 certs).
Can you say that the C/asm source code is the code that constitutes a 
module, and define compiler/linker/OS/CPU as your execution 
environment for FIPS 140 purposes? Think Java, for instance.
I realize this is stretching too thin. and can think of lots of reasons 
why it can't be. But...

Third, nominally, the FIPS certificate only applies to the particular
operating system (and OS version) that the operational testing was
done on.  For level 1 modules, NIST has historically allowed OSes in
the same family to also be covered, and they have been very liberal
in their definition of family.
I have seen evidences that this restriction has become exceptionally 
loose, and that the family can be as broad as UNIX-like systems...

- Tolga



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Joshua Hill
On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote:
 In fact they wouldn't even validate Crypto++ as a 
 static library despite an earlier verbal agreement that a static 
 library was ok. It had to be turned into a DLL at the last moment (i.e. 
 during the review phase).

That's unfortunate.  The answer as to the static vs dynamic library issue
seems to vary according to who at NIST reviews the report.  I've never
understood NIST's general objection to static libraries.

 (We wanted to avoid making a DLL from Crypto++ since it has so many 
 algorithms. With a static library the linker would only bring in the 
 algorithms you use, but a DLL has to contain a pre-selected set of 
 algorithms. I ended up putting only FIPS Approved algorithms in the 
 DLL, and made a second static library that contains only 
 non-Approved algorithms, so that both could be used together.)

So, having said that, I can say that pulling out bits of the evaluated
module won't fly.  All of it would have to go in, or none of it.  Further,
the module needs to have some way of checking its authenticity (for the
operating environment area requirements) and its integrity on power up.
As such, you'll either need to be able to locate the module within
the resulting executable, or verify the entire resulting executable.

Josh


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Rich Salz
 On Fri, Sep 05, 2003 at 04:05:07PM -0400, Rich Salz wrote:
  It is the first *source code* certification.

 The ability to do this runs counter to my understanding of FIPS 140-2.

Sure, that's why it's *the first.*  They have never done this before,
and it is very different to how they (or their Ft Meade experts) have
done things before.  I suppose one could argue that they're doing
this for Level 1 to increase the industry demand for Level 2,
but I'm not that paranoid.  I think they finally get it.   Also,
while I don't know anything beyond what's in the public email, but
based on the initial refeference platform I'll jump to some conclusions
about who's involved, and they're folks with a great deal of credibility,
experience, and influence in export and govt crypto issues.

Anyhow, if you are interested in details, read the articles (3 at
last check) in the thread from the original URL I posted.  You did
read before posting, right? :)
/r$

--
Rich Salz  Chief Security Architect
DataPower Technology   http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Joshua Hill wrote:

 On Fri, Sep 05, 2003 at 06:02:10PM -0400, Wei Dai wrote:
 
In fact they wouldn't even validate Crypto++ as a 
static library despite an earlier verbal agreement that a static 
library was ok. It had to be turned into a DLL at the last moment (i.e. 
during the review phase).
 
 
 That's unfortunate.  The answer as to the static vs dynamic library issue
 seems to vary according to who at NIST reviews the report.  I've never
 understood NIST's general objection to static libraries.
 
 
(We wanted to avoid making a DLL from Crypto++ since it has so many 
algorithms. With a static library the linker would only bring in the 
algorithms you use, but a DLL has to contain a pre-selected set of 
algorithms. I ended up putting only FIPS Approved algorithms in the 
DLL, and made a second static library that contains only 
non-Approved algorithms, so that both could be used together.)
 
 
 So, having said that, I can say that pulling out bits of the evaluated
 module won't fly.  All of it would have to go in, or none of it.  Further,
 the module needs to have some way of checking its authenticity (for the
 operating environment area requirements) and its integrity on power up.
 As such, you'll either need to be able to locate the module within
 the resulting executable, or verify the entire resulting executable.

I disagree. OpenSSL has a check of authenticity that works with static
libraries and linking only some of the module. I'll shout to this list
when I've written down exactly how the process works (or you can look at
CVS, coz I checked it in this afternoon [err, I think, I had some weird
problems with CVS later, so perhaps waiting a little might be advised]).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-06 Thread Ben Laurie
Wei Dai wrote:

 On Fri, Sep 05, 2003 at 04:15:22PM -0400, Anton Stiglic wrote:
 
You are correct, I just saw Crypto++ in the list of FIPS 140 validated 
modules:
http://csrc.nist.gov/cryptval/140-1/140val-all.htm
It is the latest entry, added today.
Congratulations to Wei Dai!
 
 
 Thanks! Also thanks to Groove Networks (the company I work for) for 
 spending the money to do the validation.
 
 
OpenSSL`s *source code* being evaluated remains exiting.
 
 
 If OpenSSL source code gets validated, I'm going to be very surprised.

Prepare to be very surprised, then.

 NIST told us in no uncertain terms that only compiled executable code 
 could be validated. In fact they wouldn't even validate Crypto++ as a 
 static library despite an earlier verbal agreement that a static 
 library was ok. It had to be turned into a DLL at the last moment (i.e. 
 during the review phase).

This is all good fun, coz I'm mandating static libraries for OpenSSL, so
that the evidential chain can be maintained (its hard to find a DSO in a
cross-platform manner so you can checksum it).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html   http://www.thebunker.net/

There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit. - Robert Woodruff



-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Anton Stiglic
Really exiting news.  If I'm not mistaken, this would be the first free,
open-source,
crypto library that has FIPS 140 module certification!  Other free
open-source
libraries have algorithms that have been FIPS 140 certified, but the whole
module
hasn't been certified (exemple Cryptlib and Crypto++).

And OpenSSL crypto module runs on all kinds of platforms.  Really nice!

--Anton


- Original Message - 
From: Rich Salz [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, September 05, 2003 10:50 AM
Subject: OpenSSL *source* to get FIPS 140-2 Level 1 certification


 This is termendously exciting.  For the first time ever, NIST will be
 certifying a FIPS 140 implementation based on the source code.  As long
 as the pedigree of the source is tracked, and checked at run-time,
 then applications can claim FIPS certification.

 For details:

http://groups.google.com/groups?dq=hl=enlr=ie=UTF-8threadm=bj9mos%242tbt%241%40FreeBSD.csie.NCTU.edu.twprev=/groups%3Fgroup%3Dmailing.openssl.users

 /r$
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: OpenSSL *source* to get FIPS 140-2 Level 1 certification

2003-09-05 Thread Joshua Hill
On Fri, Sep 05, 2003 at 01:32:21PM -0400, Anton Stiglic wrote:
 If I'm not mistaken, this would be the first free,
 open-source, crypto library that has FIPS 140 module certification!  

I believe that this is incorrect.  

The two open-source projects that I'm aware of that have FIPS 140 certs
are The Crypto++ Library, (cert 343, issued today) and The Mozilla
project's NSS, which was certified by SUN under FIPS 140-1, levels 1
and 2.  (certs 247 and 248).

Josh

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]