Squeak FIPS 140-2 level 2 certification

Andreas Raab andreas.raab at gmx.de
Thu Jul 13 19:29:06 UTC 2006


Hi Ron -

 > Also we should consider the effects having the certification
 > will have on using Croquet for secure collaboration
 > over insecure networks like the internet.

An interesting thought. I have forwarded your message to the Croquet 
committee, but personally speaking I don't think we're quite at the 
point where the certification really matters. But of course, there would 
be no harm in having it anyway.

Cheers,
   - Andreas

Ron Teitelbaum wrote:
> All,
> 
> I've just finished meeting with a testing lab concerning Squeak FIPS 140-2
> level 2 cryptographic certification.  I would like to share the results of
> that meeting.  
> 
> Background: 
> 
> OpenSSL has received FIPS 140-2 certification.  The fact that an open source
> project has received certification of their cryptographic module opens the
> door, in my opinion, for others to do the same.  We have an opportunity to
> learn from their mistakes and success.  
> 
> Having the certification does a lot for our community.  Having the
> certification opens the door for government agencies to use squeak, it
> allows businesses that work with government to use squeak, and it allows
> businesses that have high security requirements (which today with the advent
> of Sarbanes/Oxley in the US means all public companies, or with HIPAA all
> medical companies) to use squeak.  Also we should consider the effects
> having the certification will have on using Croquet for secure collaboration
> over insecure networks like the internet.  Plus it would help to generate
> some publicity.
> 
> Having the certification is not the only way to go.  Of course secure
> networking can be accomplished with other means, and there is a lot that the
> cryptography group can do to help make that easier for the community to
> accomplish.  There are benefits to both paths that I would like to point
> out.  
> 
> Having our own libraries written in Smalltalk enhances our ability to
> educate developers on cryptology.  It allows for more flexibility and
> creativity for supporting higher level protocols like SSL/TLS, SFTP,
> S-Mime... .  Our certification may help to attract a wider security
> audience, developers, and contributors to Squeak. 
> 
> Using an external certified library instead of an internal squeak library
> allows us to focus on delivering Crytographic software and less on the
> cryptology itself.  Using OpenSSL allows us to leverage their experience to
> enhance our software and leaves the onus and costs of certification to them.
> 
> Meeting Summary:
> 
> I met with SAIC which is a US Government approved testing lab, in Columbia
> Maryland.  We discussed the following:
> 
> Can a Smalltalk cryptographic library be isolated enough to allow developers
> to use the FIPS 140-2 certification to develop software that would also be
> considered FIPS 140-2 certified?
> 
> The answer to this question is not simple and will have to be addressed in
> the initial assessment, the security policy documentation, the testing
> process, and by the government in its approval.  In order for software
> developed from our certified squeak library to be considered FIPS 140-2
> certified it must be able to show that it is using the cryptographic library
> unmodified, that the approved library was loaded and that the library is not
> modifiable.  There are a number of ways that this can be accomplished, but
> none of them are simple.  (My first thought was to identify and sign our
> packages and to change the VM to check the signature on startup and to not
> allow for changes to signed code.  This functionality of signing packages
> may be useful regardless of our decision to pursue certification).
> 
> What would be required from the cryptography team to get certification?
> 
> We would have to implement all the standard tests and show that they all
> pass.  We would have to write a security policy (we can use the OpenSSL
> security policy as a starting point).  We would have to work with the lab to
> prove our code can be isolated, and make changes as required.
> 
> Is additional padding in cipher text on a standard test considered a passing
> test? (This question is for the cryptography team)
> 
> Standard tests are evaluated individually, but additional padding is usually
> disregarded when validating an algorithm.  Additional padding can be added
> and still pass. 
> 
> How long will the process take?
> 
> The lab offers an initial assessment which can be used to identify gaps and
> to help us plan our security policy.  The assessment takes about 10-14 days
> to complete.  At the end of the assessment we receive a detailed assessment
> report.
> 
> The lab can write the security policy for us, they can also suggest outside
> consultants, or this is something that we could decide to do ourselves.  The
> security policy will take several months to complete.
> 
> The lab testing itself along with government communications and adjustments
> will take between 1 to 4 months to complete
> 
> The Government certification itself will take between 8 to 12 months after
> lab testing is complete to get final approval.  
> 
> How much will all this cost?
> 
> The costs are considerable.  If we do most of the work ourselves we can get
> testing alone for USD $25K.  If we start with an initial assessment and let
> the lab do the documentation it will cost USD $75K.  
> 
> Next Steps: 
> 
> There are no real next steps for now except to discuss if this is important
> enough for the community to pursue.  Certification is a goal that has been
> identified by the cryptography team, but we can not accomplish this alone.
> Broader community support will be needed to get it done.
> 
> Please give me your opinion.  I hope that I've given you enough information
> for you to comment, if not please feel free to ask questions.
> 
> Thank you,
> 
> Ron Teitelbaum
> President / Principal Software Engineer
> US Medical Record Specialists
> Ron at USMedRec.com
> Squeak Cryptography Team Leader
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> 




More information about the Squeak-dev mailing list