[Cryptography Team] Re: [Newbies] [ANN] SqueakCryptographyCertification Validation Officer

Krishna Sankar ksankar at doubleclix.net
Thu Oct 12 00:05:00 UTC 2006 

Extending further, it depends on the Security Target and the TOE. If I am
correct, the CC evaluation is for a (platform, function, version) tuple
anyway. Like Ron points out, first we could bound the target configuration,
by teeing off of a set of libraries that are already certified. We can then
improve upon the base and have more ambitious plans.

I think one of the first tasks would be to put together the ST and ToE. The
security claims we want to make also have a bearing on the current
discussion. I haven't dug deeper into the profiles yet.

Cheers
<k/> 

> -----Original Message-----
> From: cryptography-bounces at lists.squeakfoundation.org 
> [mailto:cryptography-bounces at lists.squeakfoundation.org] On 
> Behalf Of Ron Teitelbaum
> Sent: Wednesday, October 11, 2006 4:54 PM
> To: 'Cryptography Team Development List'
> Subject: RE: [Cryptography Team] Re: [Newbies] [ANN] 
> SqueakCryptographyCertification Validation Officer
> 
> Hi Kyle, 
> 
> I discussed this with the certification lab that I spoke too. 
>  It is a very interesting question and one that we will need 
> to address when it is time to do the actual certification.  I 
> know that the common criteria is less strict, and that is 
> where we are focusing now.  There are a number of ways that 
> we can ensure that the code is not modifiable, including 
> coding signing the VM, removing the compiler, crc checking 
> the code before it runs, etc.  I agree with you that this is 
> going to be an interesting challenge, and it will be 
> expensive process once we get to the point when we think we 
> are secure the code and the VM and can pass the CC.  But I 
> also feel that having the certification would be a very good 
> thing for Open Source in general, so it's a path worth going 
> down.  The lab thought that it would be difficult also but 
> they believed it was possible.  I planned to discuss this 
> with the lab that worked with OpenSSL but after realizing how 
> much work there was left to do before working with a lab, I 
> figured it could wait.  If they succeed then it makes it 
> easier for us.
> 
> One of the tenants I've been working under is Good Enough 
> Security.  The idea is that if we try to build the perfect 
> system we would find it a task that is so daunting that we 
> would never try.  If we try to make incremental improvements 
> using the best information that we can find, working with the 
> best possible people, and going through some of the 
> certification processes, even if we don't succeed, we make 
> Squeak better, and more secure, and more likely that 
> businesses and developers will comfortably adopt Squeak.
> 
> My understanding of OpenSSL was that they had their 
> certification but it was pulled, they are working to restore 
> that certification now, and they have passed the lab stage 
> and are waiting again for the government.  
> 
> One of the other things to consider that I have mentioned 
> already is that Microsoft CryptoAPI is FIPS certified.  It is 
> possible that we could attach to that and develop Squeak 
> systems that are also certified, but I haven't read through 
> the security policy document thoroughly enough to know how 
> difficult that would be.
> 
> What other package where you thinking of?
> 
> Hope that helps!
> 
> Ron Teitelbaum
> Squeak Cryptography Team Leader
> 
> > From: Kyle Hamilton
> > Sent: Wednesday, October 11, 2006 6:05 PM
> > 
> > Welcome, Krishna!
> > 
> > In the grand scheme of things, how can the integrity of the 
> > cryptographic component module be verifiably maintained in Squeak?
> > Because of the NIST/FIPS requirement of a security boundary, the 
> > implementation must be an immutable "black box" -- put data in, get 
> > data out.
> > 
> > OpenSSL has a FIPS-validated component (no longer available for 
> > obtainment, but people who obtained it before it was made
> > no-longer-available) that would operate in the context of 
> an extension 
> > to the interpreter.  [They're working on a follow-up 
> validation for a 
> > to-be-made-available version of the library.]  There is 
> also at least 
> > one FIPS-validated, freely-available module available for Windows 
> > other than OpenSSL.
> > 
> > I bring this up only because I can't see how such a black 
> box could be 
> > created (and its internal state verifiable at all times) 
> unless it's 
> > not written within the Squeak environment itself.  There isn't any 
> > means that I know of "sealing" classes and preventing data 
> from being 
> > examined -- thus there isn't any means of enforcing a "black box"
> > boundary the way that FIPS requires.
> > 
> > Any thoughts on the matter?  Anyone?
> > 
> > -Kyle H
> > 
> > On 10/11/06, Ron Teitelbaum <Ron at usmedrec.com> wrote:
> > >
> > > Krishna Sankar is joining our team as the new Squeak Cryptography 
> > > Certification Validation Officer.
> > >
> > _______________________________________________
> > Cryptography mailing list
> > Cryptography at lists.squeakfoundation.org
> > 
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptograph
> > y
> 
> 
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cry
ptography
>

More information about the Cryptography mailing list