Re: [Cfrg] On "non-NIST"

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Sat, 28 February 2015 23:51 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1E81A00A2 for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 15:51:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_MCQrroYNX1 for <cfrg@ietfa.amsl.com>; Sat, 28 Feb 2015 15:51:46 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 882561A009B for <cfrg@irtf.org>; Sat, 28 Feb 2015 15:51:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=926; q=dns/txt; s=iport; t=1425167507; x=1426377107; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=2NtlVVEnTDejEarUO3EaaYqcZg+bvvz26bIqfR5JUQ4=; b=cGag/qiTBLmgL+5qu1oF7MTF6hKqVLwUfwEu6aeRL1OH/AG0COJqWuzP JLow4QkxTECZKfN4NZu/kdkxIvGzU0wA8qNv9lPSlxpvsjWGBJZWbAnK2 GaSI4Y4XxHhN2hubwsa3TXE4/vjBOsR/S1V2Co0RWn/2s84WmcdSzvWCW 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BdBgCCU/JU/4YNJK1agwKBMLwsi2gCgRdNAQEBAQEBfIQPAQEBBDo/EAIBCBgKFBAhESUBAQQBDQUIiBMDEc8zDYUzAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4sSgkSBeTEHgxeBFAEEj3iHf48XhgsjggIcgVBvgUR/AQEB
X-IronPort-AV: E=Sophos;i="5.09,669,1418083200"; d="scan'208";a="127890467"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-4.cisco.com with ESMTP; 28 Feb 2015 23:51:46 +0000
Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t1SNpjSo019087 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 28 Feb 2015 23:51:45 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.248]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.03.0195.001; Sat, 28 Feb 2015 17:51:45 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [Cfrg] On "non-NIST"
Thread-Index: AdBTNOQsbOXsV6I3aEuNmIrPHoyL9wAalziAAANex4AAAM47gAAANrRw
Date: Sat, 28 Feb 2015 23:51:45 +0000
Message-ID: <A113ACFD9DF8B04F96395BDEACB340420D03F7A7@xmb-rcd-x04.cisco.com>
References: <9A043F3CF02CD34C8E74AC1594475C73AAF91123@uxcn10-5.UoA.auckland.ac.nz> <BE305B0B-80D2-48C6-ACE6-6F6544A04D69@vpnc.org> <CACsn0ckHyRiLBiRe9Vg4TJMUg-+c8vbB2e-QKuHbuZ_NiqC2UA@mail.gmail.com> <B56D6A89-A111-40BB-9AE2-F3EEF512262A@vpnc.org>
In-Reply-To: <B56D6A89-A111-40BB-9AE2-F3EEF512262A@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.241.170]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/n9kLpF4hPKGKN1hHplc9rR16YSE>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [Cfrg] On "non-NIST"
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Feb 2015 23:51:47 -0000

On Feb 20, 2015, at 12:41 PM, Paul Hoffman wrote:
> On Feb 28, 2015, at 9:17 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> 
>> This is factually untrue: CMVP certified modules are permitted to 
>> implement other algorithms: they just can't be in FIPS mode when those 
>> are used.
> 
> That sentence assumes a few things: an HSM that has multiple signing
> algorithms *and* a lab that would allow non-certified signing algorithms
> to be within the crypto module that gets the Level 2+ certification *and*
> the CMVP program allowing the lab's evaluations. To the best of my
> knowledge, this has never happened.

We have a number of level 2 certified devices that can be configured with
non-FIPS approved algorithms.  The lab (and the CMVP) were satisfied with
documentation that said "to be in FIPS mode, the device must be configured
this way".  Presumably the same logic can work for an HSM.