Re: [saag] Algorithms/modes requested by users/customers
"Santosh Chokhani" <SChokhani@cygnacom.com> Tue, 19 February 2008 16:50 UTC
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m1JGoQrw015899 for <saag@PCH.mit.edu>; Tue, 19 Feb 2008 11:50:26 -0500
Received: from mit.edu (W92-130-BARRACUDA-2.MIT.EDU [18.7.21.223]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m1JGoGki015630 for <saag@mit.edu>; Tue, 19 Feb 2008 11:50:17 -0500 (EST)
Received: from scygmxsecs1.cygnacom.com (scygmxsecs1.cygnacom.com [65.242.48.253]) by mit.edu (Spam Firewall) with SMTP id 08DE9CD4D90 for <saag@mit.edu>; Tue, 19 Feb 2008 11:49:55 -0500 (EST)
Received: (qmail 2626 invoked from network); 19 Feb 2008 16:42:22 -0000
Received: from SChokhani@cygnacom.com by scygmxsecs1.cygnacom.com with EntrustECS-Server-7.4; 19 Feb 2008 16:42:22 -0000
Received: from unknown (HELO scygexch1.cygnacom.com) (10.60.50.8) by scygmxsecs1.cygnacom.com with SMTP; 19 Feb 2008 16:42:22 -0000
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Tue, 19 Feb 2008 11:49:53 -0500
Message-ID: <FAD1CF17F2A45B43ADE04E140BA83D483C4E93@scygexch1.cygnacom.com>
in-reply-to: <p06240804c3e0ad5d1fa4@[10.20.30.152]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] Algorithms/modes requested by users/customers
Thread-Index: AchzFO3PhWGkWHRDTSG0q9i/xNMp9gAAJGnw
References: <8329C86009B2F24493D76B486146769A9429B7A8@USEXCHANGE.corp.extremenetworks. com> <p06240804c3de211f0592@[10.20.30.162]><p06240504c3e09559649c@[192.168.0.102]> <p06240804c3e0ad5d1fa4@[10.20.30.152]>
From: Santosh Chokhani <SChokhani@cygnacom.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Stephen Kent <kent@bbn.com>
X-Spam-Score: 0.14
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id m1JGoQrw015899
X-Mailman-Approved-At: Wed, 20 Feb 2008 10:05:23 -0500
Cc: saag@mit.edu, Randall Atkinson <rja@extremenetworks.com>
Subject: Re: [saag] Algorithms/modes requested by users/customers
X-BeenThere: saag@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: IETF Security Area Advisory Group <saag.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/saag>
List-Post: <mailto:saag@mit.edu>
List-Help: <mailto:saag-request@mit.edu?subject=help>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=subscribe>
X-List-Received-Date: Tue, 19 Feb 2008 16:50:27 -0000
On the issue of it takes too long, the FIPS process is the envy of other schemes. One could always be faster. On the issue of restart, that is misunderstanding on Paul's part. There is no restart. Generally, problem is fixed and you pick up that point. This is generally a vendor problem. Depending on the nature of problem/failure, other aspects of the testing can continue without loss of calendar time. Subjective tests seems to be misunderstanding on Paul's part. Having been in the Orange Book, CC and FIPS process, I as validator, tester, and certifier as well as vendor generally rue about rigidness of the standard and lack of subjective judgment on the part of the tester or lack of subjective latitude to vendors. FIPS 140 has specific guidelines on how to deal with minor incremental changes that helps reduce cost and calendar time. The standard is NOT a protocol standard. It does verify the algorithm implementations and thus, FIPS validated algorithms can interoperate. In terms of low end devices, 20-30K for level 1 testing amortized over devices does not seem too onerous. I do not understand what Paul refers to as silly modes. The module being FIPS validated must use FIPS validated or recognized algorithms for a given crypto service. That seems like a good thing to me. -----Original Message----- From: saag-bounces@mit.edu [mailto:saag-bounces@mit.edu] On Behalf Of Paul Hoffman Sent: Tuesday, February 19, 2008 11:18 AM To: Stephen Kent Cc: saag@mit.edu; Randall Atkinson Subject: Re: [saag] Algorithms/modes requested by users/customers At 10:15 AM -0500 2/19/08, Stephen Kent wrote: >Can you share the reasons cited by vendors to support the notion >that the FIPS 140 process is broken. Sure. - It takes way too long from submission of system to validation, even if no problems are found. - If problems are found during evaluation, the restart time is too long. - Some of the tests are fairly subjective, and it becomes a game of fixing code to please the testing service, not to make the product more secure. - An evaluated product cannot have its core firmware updated without losing the validation. For example, if a customer asks for a new feature that might touch the crypto, the vendor has to choose between losing the validation (and paying for a new one, and waiting for the results) or keeping the customer happy. - The validation doesn't even check for on-the-wire interoperability, which is what the customers care about most. - The test process is too expensive for many low-end devices that would be very useful in USGovt offices. - The system introduces silly modes that make the systems more complicated. These are the top complaints I hear from both large and small vendors. There are certainly others. "Oh, don't get me started" is commonly heard when discussing FIPS 140 testing. > Compared to other security evaluation criteria, e.g. CC or the old >Organge Book, most security folks I know view the FIPS 140 >evaluation program as well managed and not very onerous. "Security folks" are not good evaluators on how some processes affect the market. >Also, if buyers believe that a device that "could be evaluated" is >good enough, they are being rather naive. Maybe. If a buyer cares about "does this box support the needed crypto in an interoperable fashion", then the perception is fine. If they care about all the details that FIPS 140 testing covers, then of course it is naive. >Experience with the FIPS 140 program has shown that a significant >fraction of of products submitted for evaluation fail the process. This statement is usually bandied about without any quantification of what failures were found, as it is here. As someone who creates test suites, I can assure you that I can make a few picky rules for systems that would cause some of those systems to fail, but most end users who understood those few rules would say that those rules were silly. Of course, different end users have different requirements. It is generally felt by vendors that some/many of the rules for FIPS 140 are silly and unneeded; on the other hand, it is likely that at least a few USGovt customers would really want some of those rules for particular reasons. >Presumably a vendor submitting a product for evaluation believes >that the product is ready, and will pass, otherwise the vendor is >wasting money on the evaluation effort. Wrong, very wrong. You cannot tell what the testing agency might try to knock you down on ahead of time. Of course, you cover what you can, but you also know that there is a good chance they'll just whack you a bit because it makes them look good. >The fact that many products fail evaluation (for good security >reasons), tells me that a vendor's claim that a product "could be >evaluated" is not much of an assurance. If you believe in the testing regime, that's fine. Others don't, and I believe for very good reasons in their own use scenarios. --Paul Hoffman, Director --VPN Consortium _______________________________________________ saag mailing list saag@mit.edu http://mailman.mit.edu/mailman/listinfo/saag
- [saag] Algorithms/modes requested by users/custom… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Jack Lloyd
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Steven M. Bellovin
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Vishwas Manral
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Ben Laurie
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani