[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] Algorithms/modes requested by users/customers

From: "Santosh Chokhani" <SChokhani at cygnacom.com>
To: "pgut001" <pgut001 at cs.auckland.ac.nz>, <rja at extremenetworks.com>
Cc: saag at mit.edu
Date: Tue, 26 Feb 2008 07:39:40 -0500
In-reply-to: <E1JTtO1-00080p-6o at wintermute01.cs.auckland.ac.nz>
References: <FAD1CF17F2A45B43ADE04E140BA83D483C507F at scygexch1.cygnacom.com> <E1JTtO1-00080p-6o at wintermute01.cs.auckland.ac.nz>

Peter,

I do not think this is a forum for negotiations.  But, we will be happy
to do FIPS testing for your product for Level 1 for quoted price.

As to algorithms, all FIPS approved algorithms need to be tested.

As to key generation there are standards that come out of NIST and ANSI
X9 that IETF also takes its cue from, and FIPS process ensures that the
keys are generated in accordance with those standards.

Have you yourself participated in a FIPS evaluation or have you looked
at the NIST FIPS 140-2 DTR and FIPS 140-2 IG (i.e. Implementation
Guidance) available on the Web?

-----Original Message-----
From: pgut001 [mailto:pgut001 at cs.auckland.ac.nz] 
Sent: Tuesday, February 26, 2008 1:34 AM
To: pgut001 at cs.auckland.ac.nz; rja at extremenetworks.com; Santosh Chokhani
Cc: saag at mit.edu
Subject: RE: [saag] Algorithms/modes requested by users/customers

"Santosh Chokhani" <SChokhani at cygnacom.com> writes:

>You are wrong about FIPS 140-1 costs being 100K for Level 1.  It is
more like
>30K.

The figures I've been given, from numerous vendors going through
numerous labs
over a number of years, is that their all-up cost for a level 1 software
eval
was around $100K (give or take a few tens of $K).  This isn't just the
final
cheque they cut to get the coloured piece of paper, this is the all-up
cost of
getting their product through a FIPS 140 eval.

I realise the following may be a bit unfair since you weren't intending
to
provide a price quote :-), but I'm willing to put my money where my
mouth is:
If Cygnacom can get me a FIPS 140 level 1 on my code for an all-up cost
of
$30K I'll send you a cheque and CDROM of the source within 24 hours (I
need to
get mgt.approval first).  Just let me know where to send it and who to
make
the payment out to.

>In terms of what FIPS buys is that you ensure that the algorithm is
>implemented correctly,

That a *subset* of the algorithms used are impemented correctly, in
other
words a subset of what you can get for $19.95 via a TLS connect to
Amazon.
And the actual crypto mechanisms don't get tested at all.

>keys will be generated in accordance with FIPS (meaning that the seed
feeding
>the PRNG will have requisite entropy and PRNG will be FIPS approved).

A nice circular definition: "A FIPS evaluation guarantees that keys will
be
generated as required in order to pass a FIPS evaluation".

>You also get the assurance that the keys are being managed properly in
the
>crypto module.

... unless the vendor has documented away the mismanagement, e.g.
CryptoAPIs
plaintext private key export.

You're not making a very convincing argument here :-).

Peter.

Follow-Ups:
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Peter Gutmann

References:
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/customers
  - From: Peter Gutmann

Prev by Date: Re: [saag] Algorithms/modes requested by users/customers
Next by Date: [saag] Call for presentation topics
Previous by thread: Re: [saag] Algorithms/modes requested by users/customers
Next by thread: Re: [saag] Algorithms/modes requested by users/customers
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.