Kerberos 5 certified under NIST 140-2.

Douglas E. Engert deengert at anl.gov
Tue Sep 4 15:00:50 EDT 2007



Edgecombe, Jason wrote:
> I remember reading in Linux journal that openssl had been certified.
> 
> http://www.linuxjournal.com/node/7644/print
> 
> I vaguely remember something else about getting source code certified
> instead of compiled code, but I can't find it.


There as a discusion on 8/10 on the openssl mailing
"Windows build of FIPS 1.1.1 is not thread-safe" which lead to some
interesting discussions about compilers, and what could and could not
be done to use software.

http://csrc.nist.gov/cryptval/140-1/140sp/140sp642.pdf
a (2MB PDF)is the OpenSSL document for NIST.

http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf
is the implementation guide, see section G5 for what a vendor
and/or a user can do with source code.

http://csrc.nist.gov/cryptval/140-1/140crt/140crt642.pdf
  is the OpenSSL certificate.

> 
> Jason
> 
> Jason Edgecombe
> Solaris & Linux Administrator
> Mosaic Computing Group, College of Engineering
> UNC-Charlotte
> Phone: (704) 687-3514
>  
> 
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Marcus Watts
> Sent: Saturday, September 01, 2007 7:47 AM
> To: kerberos at mit.edu
> Subject: Re: Kerberos 5 certified under NIST 140-2. 
> 
> Various wrote:
>>> I work at the U.S. Census Bureau and would like to use Kerberos 5 as
> our
>>> network authentication protocol.  The only problem is that for us to
> meet
>>> our Certification and Accreditation and use Kerberos 5, it must be
>>> certified under NIST 140-2.  Do you have plans to have version 5
> certified?
>>> My understanding is that version 4 was.
> ...
>> When I looked into this for Kerberos, doing the certification cost
>> around $25,000-$35,000 and took a couple of years.  And having seen
> ...
> 
> As I read FIPS 140-2, it addresses hardware much more than software, and
> very much addresses "complete systems" or sometimes "components" and
> really
> does not address frameworks or pluggable environments much at all.
> 
> OpenSource software loses here on several points:
>  1. it's not a "finished" system.  Somebody might come along at any
> 	point and change it, invalidating any test results done until
> 	that point.
>  2. the development process for "open source" does not generally conform
> 	to FIPS 140-2 appendix A and B.
> 
> 	Appendix A describes the documentation that is necessary.
> 	There's a lot of it, and it is very specific to the testing
> 	required for FIPS 140-2.  $25K to hire somebody to produce
> 	this would be a real bargain for something as complicated as
> 	kerberos 5.
> 
> 	Appendix B describes the "recommended software development
> 	practice".  These practices are probably a bit out of date, and
> 	certainly do not describe modern conventions for C.  The testing
> &
> 	documentation is certainly considerably more rigorous than many
> 	open source projects.  Note that the better organized projects
> 	at least approach the software methodology suggested here, with
> 	interesting differences: for instance the design stage may
> happen
> 	in part via online chat, unit testing may be on the honor
> system,
> 	functional specifications may be terse, & structure charts are
> 	nearly extinct except in the personnel department.
> 
> In fact, I think kerberos 5 probably conforms to about half of
> these practices.  For instance, the "life-cycle software engineering
> recommendations" including the phrase "may".  I suspect the kerberos
> developers actually follow most of those practices, but may be resistant
> to documenting that they did so.  The coding standards contain many
> "shoulds" for things that MIT kerberos actually follows far less rigidly
> MIT kerberos certainly uses gotos (...using only structured programming
> constructs...), unions ("equivalence of variables should not be
> used...",
> global variables ("should not be used..."), and more than 2 exit points
> for many routines ("...at most two exit points").  In-line documentation
> is certainly *far* sparser than the appendix B authors suggest.
> 
> Rather than looking to the open source community to produce this, I
> think your best bet is to look at one of the vendors to do this.
> Say, Apple, Solaris, etc.  They distribute the complete system,
> not just the software, so they have a better claim on "complete system",
> plus both the money stream, and the incentive, to pay for the
> certification.  Apparently at least one of the Solaris people
> is already pursuing FIPS 140-2 for some of the lower-level crypto
> stuff (not kerberos yet).
> 
> 				-Marcus Watts
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list