Kerberos 5 certified under NIST 140-2.

Ken Hornstein kenh at cmf.nrl.navy.mil
Mon Sep 3 22:52:53 EDT 2007


>As I read FIPS 140-2, it addresses hardware much more than software, and
>very much addresses "complete systems" or sometimes "components" and really
>does not address frameworks or pluggable environments much at all.
>
>OpenSource software loses here on several points:
>[...]

I don't want to get into the whole FIPS 140-2 mess ... but while it does
mostly deal with hardware products, there is a path for software-only
products to be certified.  And it IS possible for open-source software
to be certified ... look at the certificate and security policy for
the FIPS-certified OpenSSL.  Mind you, it's an uphill battle and I
think it is worthless from a _security_ perspective ... for software
I think the only value is so a government bureaucrat can check off a
box on a form.

>	Appendix A describes the documentation that is necessary.
>	There's a lot of it, and it is very specific to the testing
>	required for FIPS 140-2.  $25K to hire somebody to produce
>	this would be a real bargain for something as complicated as
>	kerberos 5.

When I said $25K (that was a number of years ago) that was the fee charged
by the testing labs that NIST uses.  That's just for the FIPS 140-2
test ... generally you (the submitter) have to do all of the documentation
yourself, as well as meet all of the bizarre and seemingly arbitrary NIST
requirements.

>	Appendix B describes the "recommended software development
>	practice".  These practices are probably a bit out of date, and
>	certainly do not describe modern conventions for C.  The testing &
>	documentation is certainly considerably more rigorous than many
>	open source projects.  Note that the better organized projects
>	at least approach the software methodology suggested here, with
>	interesting differences: for instance the design stage may happen
>	in part via online chat, unit testing may be on the honor system,
>	functional specifications may be terse, & structure charts are
>	nearly extinct except in the personnel department.

I was under the impression that those recommendations are not requirements.

>Rather than looking to the open source community to produce this, I
>think your best bet is to look at one of the vendors to do this.
>Say, Apple, Solaris, etc.  They distribute the complete system,
>not just the software, so they have a better claim on "complete system",
>plus both the money stream, and the incentive, to pay for the
>certification.  Apparently at least one of the Solaris people
>is already pursuing FIPS 140-2 for some of the lower-level crypto
>stuff (not kerberos yet).

Well, no one has even started the process yet AFAIK, so I think you'll
be waiting a long time.  The "complete system" is not really a barrier
as I understand it.

--Ken



More information about the Kerberos mailing list