Squeak FIPS 140-2 level 2 certification
Andreas Raab
andreas.raab at gmx.de
Thu Jul 13 19:29:06 UTC 2006
Hi Ron -
> Also we should consider the effects having the certification
> will have on using Croquet for secure collaboration
> over insecure networks like the internet.
An interesting thought. I have forwarded your message to the Croquet
committee, but personally speaking I don't think we're quite at the
point where the certification really matters. But of course, there would
be no harm in having it anyway.
Cheers,
- Andreas
Ron Teitelbaum wrote:
> All,
>
> I've just finished meeting with a testing lab concerning Squeak FIPS 140-2
> level 2 cryptographic certification. I would like to share the results of
> that meeting.
>
> Background:
>
> OpenSSL has received FIPS 140-2 certification. The fact that an open source
> project has received certification of their cryptographic module opens the
> door, in my opinion, for others to do the same. We have an opportunity to
> learn from their mistakes and success.
>
> Having the certification does a lot for our community. Having the
> certification opens the door for government agencies to use squeak, it
> allows businesses that work with government to use squeak, and it allows
> businesses that have high security requirements (which today with the advent
> of Sarbanes/Oxley in the US means all public companies, or with HIPAA all
> medical companies) to use squeak. Also we should consider the effects
> having the certification will have on using Croquet for secure collaboration
> over insecure networks like the internet. Plus it would help to generate
> some publicity.
>
> Having the certification is not the only way to go. Of course secure
> networking can be accomplished with other means, and there is a lot that the
> cryptography group can do to help make that easier for the community to
> accomplish. There are benefits to both paths that I would like to point
> out.
>
> Having our own libraries written in Smalltalk enhances our ability to
> educate developers on cryptology. It allows for more flexibility and
> creativity for supporting higher level protocols like SSL/TLS, SFTP,
> S-Mime... . Our certification may help to attract a wider security
> audience, developers, and contributors to Squeak.
>
> Using an external certified library instead of an internal squeak library
> allows us to focus on delivering Crytographic software and less on the
> cryptology itself. Using OpenSSL allows us to leverage their experience to
> enhance our software and leaves the onus and costs of certification to them.
>
> Meeting Summary:
>
> I met with SAIC which is a US Government approved testing lab, in Columbia
> Maryland. We discussed the following:
>
> Can a Smalltalk cryptographic library be isolated enough to allow developers
> to use the FIPS 140-2 certification to develop software that would also be
> considered FIPS 140-2 certified?
>
> The answer to this question is not simple and will have to be addressed in
> the initial assessment, the security policy documentation, the testing
> process, and by the government in its approval. In order for software
> developed from our certified squeak library to be considered FIPS 140-2
> certified it must be able to show that it is using the cryptographic library
> unmodified, that the approved library was loaded and that the library is not
> modifiable. There are a number of ways that this can be accomplished, but
> none of them are simple. (My first thought was to identify and sign our
> packages and to change the VM to check the signature on startup and to not
> allow for changes to signed code. This functionality of signing packages
> may be useful regardless of our decision to pursue certification).
>
> What would be required from the cryptography team to get certification?
>
> We would have to implement all the standard tests and show that they all
> pass. We would have to write a security policy (we can use the OpenSSL
> security policy as a starting point). We would have to work with the lab to
> prove our code can be isolated, and make changes as required.
>
> Is additional padding in cipher text on a standard test considered a passing
> test? (This question is for the cryptography team)
>
> Standard tests are evaluated individually, but additional padding is usually
> disregarded when validating an algorithm. Additional padding can be added
> and still pass.
>
> How long will the process take?
>
> The lab offers an initial assessment which can be used to identify gaps and
> to help us plan our security policy. The assessment takes about 10-14 days
> to complete. At the end of the assessment we receive a detailed assessment
> report.
>
> The lab can write the security policy for us, they can also suggest outside
> consultants, or this is something that we could decide to do ourselves. The
> security policy will take several months to complete.
>
> The lab testing itself along with government communications and adjustments
> will take between 1 to 4 months to complete
>
> The Government certification itself will take between 8 to 12 months after
> lab testing is complete to get final approval.
>
> How much will all this cost?
>
> The costs are considerable. If we do most of the work ourselves we can get
> testing alone for USD $25K. If we start with an initial assessment and let
> the lab do the documentation it will cost USD $75K.
>
> Next Steps:
>
> There are no real next steps for now except to discuss if this is important
> enough for the community to pursue. Certification is a goal that has been
> identified by the cryptography team, but we can not accomplish this alone.
> Broader community support will be needed to get it done.
>
> Please give me your opinion. I hope that I've given you enough information
> for you to comment, if not please feel free to ask questions.
>
> Thank you,
>
> Ron Teitelbaum
> President / Principal Software Engineer
> US Medical Record Specialists
> Ron at USMedRec.com
> Squeak Cryptography Team Leader
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
>
More information about the Squeak-dev
mailing list
|