Re: [saag] Algorithms/modes requested by users/customers
pgut001@cs.auckland.ac.nz (Peter Gutmann) Mon, 25 February 2008 15:44 UTC
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1PFikTL028438 for <saag@PCH.mit.edu>; Mon, 25 Feb 2008 10:44:46 -0500
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m1PFiUlj020528 for <saag@mit.edu>; Mon, 25 Feb 2008 10:44:35 -0500 (EST)
Received: from mailhost.auckland.ac.nz (curly.its.auckland.ac.nz [130.216.12.33]) by mit.edu (Spam Firewall) with ESMTP id 4C308DCE69D for <saag@mit.edu>; Mon, 25 Feb 2008 10:44:02 -0500 (EST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id 38F5C9C418; Tue, 26 Feb 2008 04:44:01 +1300 (NZDT)
Received: from mailhost.auckland.ac.nz ([127.0.0.1]) by localhost (curly.its.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgBA08TEH3sX; Tue, 26 Feb 2008 04:44:01 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by mailhost.auckland.ac.nz (Postfix) with ESMTP id D0F779C3FD; Tue, 26 Feb 2008 04:44:00 +1300 (NZDT)
Received: from wintermute01.cs.auckland.ac.nz (wintermute01.cs.auckland.ac.nz [130.216.34.38]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 41AED19EC0BE; Tue, 26 Feb 2008 04:44:00 +1300 (NZDT)
Received: from pgut001 by wintermute01.cs.auckland.ac.nz with local (Exim 4.63) (envelope-from <pgut001@wintermute01.cs.auckland.ac.nz>) id 1JTfUm-00089i-3o; Tue, 26 Feb 2008 04:44:00 +1300
From: pgut001@cs.auckland.ac.nz
To: pgut001@cs.auckland.ac.nz, rja@extremenetworks.com
In-Reply-To: <8329C86009B2F24493D76B486146769A9596B14F@USEXCHANGE.corp.extremenetworks.com>
Message-Id: <E1JTfUm-00089i-3o@wintermute01.cs.auckland.ac.nz>
Sender: pgut001 <pgut001@cs.auckland.ac.nz>
Date: Tue, 26 Feb 2008 04:44:00 +1300
X-Spam-Score: 0.12
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
Cc: saag@mit.edu
Subject: Re: [saag] Algorithms/modes requested by users/customers
X-BeenThere: saag@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: IETF Security Area Advisory Group <saag.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/saag>
List-Post: <mailto:saag@mit.edu>
List-Help: <mailto:saag-request@mit.edu?subject=help>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2008 15:44:46 -0000
Randall Atkinson <rja@extremenetworks.com> writes: >Earlier, Peter Gutmann wrote: >% If FIPS 140 is the answer now, why wasn't the Orange Book >% the answer then? > >You are comparing apples to oranges above. > >FIPS-140 is only about assurance for cryptographic modules. >Orange Book (TCSEC) was only about operating system security. > >The two address different issues. They certainly seem to be addressing them in very similar ways. >Or were you proposing to setup a monopoly ? Ten years ago the rule-of-thumb estimate for a FIPS 140 level 1 eval was $100K and 6-12 months no matter who you went to. In 2006 (last time I checked) the rule-of-thumb estimate for a FIPS 140 level 1 eval was $100K and 6-12 months no matter who you went to. So it looks like we already have a well- established oligopoly with FIPS 140 evals, the only difference is the nomenclature. >One needs a process that is as consistent and reproducible as practical Why? This is the ISO 9000-for-software fallacy, reproducibility is great when you're cranking out lightbulbs, but not much use for software, which isn't a mass production process but instead is based on the cloning of the result of a one-off development effort which is the product of the creativity, skill, and co-operation of developers and users. I can easily get 100% consistency in reproducing an executable on a CDROM, but I don't think that's what's meant here. >If you think that FIPS-140-* is a target-rich environment, then please try to >seriously propose something better. I understand NIST and its partners are >looking to evolve into FIPS 140-3 from FIPS 140-2. It depends on what you want from FIPS 140 (and I'm talking specifically FIPS 140 for software modules here, which is the form that 99.9% of users encounter it in ). Some people have said you get "assurance", but the assurance you're getting here is a high level of assurance that the vendors were desperate enough for government sales that they shelled out a large amount of money in order to get a ticket to ride the gravy train. The problem is that like "religion" or "morals", "assurance" is a loaded term and can be interpreted to mean almost anything. Without some basic definition of what's meant by "assurance", it's not really possible to reason about this. So here's an attempt to nail it down: For me (and I would guess most end users) assurance is being able to sleep at night knowing there's little chance of anyone compromising my system ("things that should happen do happen, things that shouldn't happen don't happen"). Let's see what FIPS 140 gives you to help you sleep at night. It tests some crypto mechanisms, but ignores others. If you're buying an IPsec product it doesn't test all the mechanisms needed for IPsec. If you're buying a TLS product it doesn't test the mechanisms needed for TLS. If you're buying... well, you get the idea. Compare this to the example I gave earlier of performing a TLS exchange with Amazon. This performs an in-depth test of all the crypto algorithms (corresponding to the FIPS algorithm tests, including ones that FIPS ignores), and the crypto mechanisms (many/most of which FIPS again ignores). In other words simply by connecting to Amazon using TLS and ordering a "Scrubs" DVD for $19.95 I'm getting more comprehensive algorithm testing than I can for a five- figure sum with the FIPS algorithm tests. So what else do you get? You get a bit of a code review and some checking that you don't do stupid things with keys. Only some of the code is reviewed (for example that trivial buffer overflow in the client handshake that allows a remote attacker to do whatever they want with your server, including the FIPS 140-evaluated portion, isn't checked because it's outside the scope of what FIPS 140 is interested in), and (from having gone through several of these) the review itself seems to be more coding style nitpicks than looking for potential exploits, and in any case you can often document away any problems without having to fix them. So the assurance a FIPS 140 eval gets you is a tautological "the product vendor was able to pass a FIPS 140 eval". In terms of being able to demonstrate this type of assurance, I agree completely with you that there is no better mechanism for it than FIPS 140. Admittedly there is some value to FIPS 140: You know that a subset of the crypto used is OK, that the code doesn't do anything stupid with its keys (unless the vendor has documented away the stupid things that do happen, e.g. CryptoAPI's plaintext private-key export, you ask it "Give me the user's private key in plaintext form" and it says "Sure, here you go"), and that it's had a bit of a code check (and obviously if you're doing hardware crypto you get a lot more value than this, but the discussion here is about software modules). What you don't get from FIPS 140 is the stuff that customers really care about: Assurance that your IPsec product can actually do IPsec, that your TLS product can do TLS, or that the product really is secure(-ish). Excusing this by saying that a FIPS 140 crypto product eval doesn't have to check half your crypto so this isn't a problem is like saying that your TSA passenger- screening process is OK even though it doesn't bother checking men with beards or anyone under 5'6" tall. If I'm going to spend $100K to feel safe then I can really think of better ways than FIPS 140 (or CC, or ITSEC, or ...). How about the following comparison: You get to spend the cost of a FIPS 140 eval in one of two ways: $100K: FIPS 140 -- or -- $20K: Fortify (or whatever) scan. $20K: Cigital (or whatever) audit/analysis (these are just representative figures/estimates since there don't seem to be any fixed rates for this sort of thing). $5K: Grant to French university to pen-test code "written at a German university". $5K: Grant to British university to pen-test code "written at a French university". $5K: Set up a fake banking site running the code and bring it to the attention of the Russian Business Network. $free: Leak "security code for Windows 7" to Slashdot. $free: Leak "security code for BluRay++" on warez boards. $free: Leak "Diebold voting machine security code" to Cryptome. $45K: 50" plasma TV, home theatre system, and beer to kill time while you wait for the results to come in (and to emphasise how much cheaper this is than FIPS 140 :-). If your life depended on the security of the product that went through those two processes, which one would you trust? FIPS 140 is just not cost-effective in providing assurance - it costs too much, it takes too long, and it doesn't evaluate the stuff that real users care about having evaluated. >The claims (not by me so much as by other folks on the SAAG list) have been >that (1) FIPS-140 is better than other extant security evaluations Thus showing that the politician's fallacy is alive and well :-). There was a long and extremely interesting discussion on the (somewhat misnamed) open-source list recently, thread topic "How can high assurance FLOSS development be encouraged?". The archives are at http://lists.csl.sri.com/mailman/listinfo/open-source, but you have to sign up to the list in order to access them. Peter.
- [saag] Algorithms/modes requested by users/custom… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Jack Lloyd
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Steven M. Bellovin
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Vishwas Manral
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Ben Laurie
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani