Kerberos 5 certified under NIST 140-2.
Douglas E. Engert
deengert at anl.gov
Tue Sep 4 15:00:50 EDT 2007
Edgecombe, Jason wrote:
> I remember reading in Linux journal that openssl had been certified.
>
> http://www.linuxjournal.com/node/7644/print
>
> I vaguely remember something else about getting source code certified
> instead of compiled code, but I can't find it.
There as a discusion on 8/10 on the openssl mailing
"Windows build of FIPS 1.1.1 is not thread-safe" which lead to some
interesting discussions about compilers, and what could and could not
be done to use software.
http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf
a (2MB PDF)is the OpenSSL document for NIST.
http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf
is the implementation guide, see section G5 for what a vendor
and/or a user can do with source code.
http://csrc.nist.gov/cryptval/140-1/140crt/140crt642.pdf
is the OpenSSL certificate.
>
> Jason
>
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> UNC-Charlotte
> Phone: (704) 687-3514
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Marcus Watts
> Sent: Saturday, September 01, 2007 7:47 AM
> To: kerberos at mit.edu
> Subject: Re: Kerberos 5 certified under NIST 140-2.
>
> Various wrote:
>>> I work at the U.S. Census Bureau and would like to use Kerberos 5 as
> our
>>> network authentication protocol. The only problem is that for us to
> meet
>>> our Certification and Accreditation and use Kerberos 5, it must be
>>> certified under NIST 140-2. Do you have plans to have version 5
> certified?
>>> My understanding is that version 4 was.
> ...
>> When I looked into this for Kerberos, doing the certification cost
>> around $25,000-$35,000 and took a couple of years. And having seen
> ...
>
> As I read FIPS 140-2, it addresses hardware much more than software, and
> very much addresses "complete systems" or sometimes "components" and
> really
> does not address frameworks or pluggable environments much at all.
>
> OpenSource software loses here on several points:
> 1. it's not a "finished" system. Somebody might come along at any
> point and change it, invalidating any test results done until
> that point.
> 2. the development process for "open source" does not generally conform
> to FIPS 140-2 appendix A and B.
>
> Appendix A describes the documentation that is necessary.
> There's a lot of it, and it is very specific to the testing
> required for FIPS 140-2. $25K to hire somebody to produce
> this would be a real bargain for something as complicated as
> kerberos 5.
>
> Appendix B describes the "recommended software development
> practice". These practices are probably a bit out of date, and
> certainly do not describe modern conventions for C. The testing
> &
> documentation is certainly considerably more rigorous than many
> open source projects. Note that the better organized projects
> at least approach the software methodology suggested here, with
> interesting differences: for instance the design stage may
> happen
> in part via online chat, unit testing may be on the honor
> system,
> functional specifications may be terse, & structure charts are
> nearly extinct except in the personnel department.
>
> In fact, I think kerberos 5 probably conforms to about half of
> these practices. For instance, the "life-cycle software engineering
> recommendations" including the phrase "may". I suspect the kerberos
> developers actually follow most of those practices, but may be resistant
> to documenting that they did so. The coding standards contain many
> "shoulds" for things that MIT kerberos actually follows far less rigidly
> MIT kerberos certainly uses gotos (...using only structured programming
> constructs...), unions ("equivalence of variables should not be
> used...",
> global variables ("should not be used..."), and more than 2 exit points
> for many routines ("...at most two exit points"). In-line documentation
> is certainly *far* sparser than the appendix B authors suggest.
>
> Rather than looking to the open source community to produce this, I
> think your best bet is to look at one of the vendors to do this.
> Say, Apple, Solaris, etc. They distribute the complete system,
> not just the software, so they have a better claim on "complete system",
> plus both the money stream, and the incentive, to pay for the
> certification. Apparently at least one of the Solaris people
> is already pursuing FIPS 140-2 for some of the lower-level crypto
> stuff (not kerberos yet).
>
> -Marcus Watts
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list