Security Basics mailing list archives
FIPS 140-x validation
From: William Kupersanin <kuper () Glue umd edu>
Date: Wed, 24 Mar 2004 19:43:58 -0500 (EST)
Hi, I am wondering if there are other government types on this list that are working to comply with FIPS 140-2 and how it impacts them. As it has been presented at my workplace, nothing using cryptography can be purchased and used unless it (or the cryptographic module within) has been validated to FIPS 140-1 or 140-2 by NIST. I must misunderstand the mandate. It's bad enough that openSSL hasn't been validated yet so Apache and openSSH are no-go's, but most of the hashing algorithms used to hash passwords in the various operating systems aren't even compliant. It was suggested to me that I could look to commercial libraries to replace crypt with something that is validated but AFAIK that means replacing libc on some systems. I'm not comfortable with that. Does anyone have any perspective on how FIPS 140-x compliance might actually work? Thanks! --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- FIPS 140-x validation William Kupersanin (Mar 25)