Re: Fwd: How important is FIPS 140-2 Level 1 cert?

[lists <lists () kriptik org>]

On 9 Jan 2007 21:01:37 +0100, felix-dailydave () fefe de wrote:
> Thus spake Saqib Ali (docbook.xml () gmail com):
> > The following excellent post by Karl Levinson appeared on
> > Security-Basics mailing list:

> FIPS basically says that someone took a few test vectors, ran the
> product algorithms on them, and the right results came out.

The full set of FIPS 140-2 testing requirements can be found in [1].
They include things like authentication and authorization, and key
management, as well as, looking at the particular cryptographic
algorithms being used and self-testing.

Labs require access to the full code (software, firmware, hardware) of
the module as well as the module itself, and they do look at and play
with these things. But, of course, their examination is limited to the
scope of the requirements [1].

> > Like NIAP Common Criteria, FIPS certification is probably expensive
> > and time consuming for the vendor, so that the products that get it
> > would tend to be older products from larger, more monolithic
> > companies, which may not necessarily guarantee you're getting
> > superlative security.
>
> Haha, well said.

Actually plenty of smaller companies have gone through FIPS 140
validations. While a few big boys might pump out many FIPS 140
validations (often for very related products), the overall vendor list
[2] is not made up of just these players. (I guess the key word in the
original paragraph is "probably." In other words, a guess.)

> > Bottom line, make sure you know what FIPS certification does and
> > doesn't guarantee.  I'm not sure I would pay double for a product that
> > might be less secure than the cheaper solution, depending on how
> > exactly it's implemented.  But then that also depends on your security
> > needs and your tolerance for various kinds of risk, so there's no one
> > universal answer that is true for all.
>
> Since FIPS does not gurantee anything tangible, I would generally stay
> clear of FIPS certified products.  It means the vendor rather spent
> money on a dubious certification than on making the product better.

Nothing tangible, except that a product meets a well-defined set of
requirements [1]. If those requirements meet your needs, great. If
not, look elsewhere. (I guess the key words in the original paragraph
are "depends on your security needs and your tolerance for various
kinds of risk.")

> Now, story time. :-)
>
> I once had this revealing discussion with the head of the German agency
> that does this kind of certification.  I asked him what kind of bugs
> they would have to find so a product does not get certified.  And he
> said: all products get certified.  They don't look for bugs.  Even if
> they wanted to, they don't have the manpower.  So I asked, if a really
> obvious back door happened to fall in their lap, what would they do.
> And he said they had that case once.  They complained and got shot down
> for it politically.  Turns out it was some kind of NATO thing.  *cough*

FIPS 140 has nothing to do with German agencies. The validation
program is run by the USA and Canada, which jointly issue validation
certificates after a module has passed lab testing and NIST/CSE QA.
(If it ever happened that a module was found to have a backdoor after
validation, I imagine the validation would be revoked. I could see US
agencies and their contractors being required to immediately cease use
of the module and assess the impacts of the backdoor, and other
private entities using the module being recommended to do the same.)

I have heard of FIPS 140-2 validations digging up all sorts of
problems, from improperly implemented cryptographic algorithms to poor
seeding of PRNGs to data being passed around the clear that was
supposed to be encrypted to authenticated operators not quite being
authenticated. Sure, these are obvious when someone takes a look, but
someone needs to take a look.

And, no, FIPS 140-2 is not searching through every spec of code for
general software bugs and backdoors. Even if it did, there is no
process in place to ensure that the vendor is actually providing the
same exact version of the module that was audited. If this is what you
are looking for, you will need to look elsewhere.

-Andrew

[1] http://csrc.nist.gov/cryptval/140-1/fips1402DTR.pdf
[2] http://csrc.nist.gov/cryptval/140-1/1401vend.htm
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave