Re: [saag] Algorithms/modes requested by users/customers

"Santosh Chokhani" <SChokhani@cygnacom.com> Tue, 26 February 2008 12:40 UTC

Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1QCeBoA025835 for <saag@PCH.mit.edu>; Tue, 26 Feb 2008 07:40:11 -0500
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id m1QCe1Kp017202 for <saag@mit.edu>; Tue, 26 Feb 2008 07:40:02 -0500 (EST)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by mit.edu (Spam Firewall) with SMTP id 1F8F4CF336C for <saag@mit.edu>; Tue, 26 Feb 2008 07:39:41 -0500 (EST)
Received: (qmail 24703 invoked from network); 26 Feb 2008 12:31:59 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 26 Feb 2008 12:31:59 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 26 Feb 2008 12:31:59 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 26 Feb 2008 07:39:40 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D483C50D9@scygexch1.cygnacom.com>
in-reply-to: <E1JTtO1-00080p-6o@wintermute01.cs.auckland.ac.nz>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Algorithms/modes requested by users/customers
Thread-Index: Ach4QZI6/TYJ7/uKQPmFL6pYftWfCwAMq+Sw
References: <FAD1CF17F2A45B43ADE04E140BA83D483C507F@scygexch1.cygnacom.com> <E1JTtO1-00080p-6o@wintermute01.cs.auckland.ac.nz>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: pgut001 <pgut001@cs.auckland.ac.nz>, rja@extremenetworks.com
X-Spam-Score: 0.30
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id m1QCeBoA025835
Cc: saag@mit.edu
Subject: Re: [saag] Algorithms/modes requested by users/customers
X-BeenThere: saag@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: IETF Security Area Advisory Group <saag.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/saag>
List-Post: <mailto:saag@mit.edu>
List-Help: <mailto:saag-request@mit.edu?subject=help>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2008 12:40:12 -0000

Peter,

I do not think this is a forum for negotiations.  But, we will be happy
to do FIPS testing for your product for Level 1 for quoted price.

As to algorithms, all FIPS approved algorithms need to be tested.

As to key generation there are standards that come out of NIST and ANSI
X9 that IETF also takes its cue from, and FIPS process ensures that the
keys are generated in accordance with those standards.

Have you yourself participated in a FIPS evaluation or have you looked
at the NIST FIPS 140-2 DTR and FIPS 140-2 IG (i.e. Implementation
Guidance) available on the Web?

-----Original Message-----
From: pgut001 [mailto:pgut001@cs.auckland.ac.nz] 
Sent: Tuesday, February 26, 2008 1:34 AM
To: pgut001@cs.auckland.ac.nz; rja@extremenetworks.com; Santosh Chokhani
Cc: saag@mit.edu
Subject: RE: [saag] Algorithms/modes requested by users/customers

"Santosh Chokhani" <SChokhani@cygnacom.com> writes:

>You are wrong about FIPS 140-1 costs being 100K for Level 1.  It is
more like
>30K.

The figures I've been given, from numerous vendors going through
numerous labs
over a number of years, is that their all-up cost for a level 1 software
eval
was around $100K (give or take a few tens of $K).  This isn't just the
final
cheque they cut to get the coloured piece of paper, this is the all-up
cost of
getting their product through a FIPS 140 eval.

I realise the following may be a bit unfair since you weren't intending
to
provide a price quote :-), but I'm willing to put my money where my
mouth is:
If Cygnacom can get me a FIPS 140 level 1 on my code for an all-up cost
of
$30K I'll send you a cheque and CDROM of the source within 24 hours (I
need to
get mgt.approval first).  Just let me know where to send it and who to
make
the payment out to.

>In terms of what FIPS buys is that you ensure that the algorithm is
>implemented correctly,

That a *subset* of the algorithms used are impemented correctly, in
other
words a subset of what you can get for $19.95 via a TLS connect to
Amazon.
And the actual crypto mechanisms don't get tested at all.

>keys will be generated in accordance with FIPS (meaning that the seed
feeding
>the PRNG will have requisite entropy and PRNG will be FIPS approved).

A nice circular definition: "A FIPS evaluation guarantees that keys will
be
generated as required in order to pass a FIPS evaluation".

>You also get the assurance that the keys are being managed properly in
the
>crypto module.

... unless the vendor has documented away the mismanagement, e.g.
CryptoAPIs
plaintext private key export.

You're not making a very convincing argument here :-).

Peter.