cryptoadm(1M) enhancement for FIPS-140 mode [PSARC/2009/347 FastTrack timeout 06/17/2009]

Mehdi Bonyadi Mehdi.Bonyadi at sun.com
Wed Jun 10 07:24:30 PDT 2009 

FIPS 140-3 is still in draft and under review, but since certifications 
can take many months it is a good idea to monitor the situation and be 
prepared. Has anyone heard of any target dates for 14-3 release or do 
they know how it would impact our case?

Mehdi


On 06/09/09 22:53, Anthony Scarpino wrote:
> Hi,
> 
> The team is enhancing the Cryptographic Framework to support a Security 
> Level 2.  That level requires a Common Criteria certified OS.  Having it 
> on by default would have to be a special case for that particular release..
> 
> Now taking off the project team hat...
> 
> In a world with an appetite for performance.  FIPS (regardless of 
> Security Level) requires Power-On Self Tests and other tests that will 
> degrade performance.  There are also boundaries which have to the 
> verified before crypto operations can be performed.  I feel that you 
> would see many more unhappy users than happy..
> 
> Also a FIPS validation requires a Security Policy that is a 
> configuration the user must keep the system in, so no addition crypto 
> cards or providers.   And for Level 1 and 2, it's not that the whole 
> system is FIPS'ed, but just a set of supported APIs.
> 
> In general as FIPS 140-2 is, I don't believe it's practical by default..
> 
> Tony
> 
> 
> Glenn Brunette wrote:
>>
>> Given the strong push by U.S. and other governments, financial
>> services organizations, etc. (inside and outside of the U.S.) to
>> use FIPS approved algorithms, has there been any consideration
>> to make FIPS-140 mode enabled by default?  I realize that in a
>> global marketplace, this is likely a touchy issue, but I at least
>> wanted to put the question on the table and hear from the project
>> team and the community.
>>
>> g
>>
>> On 6/9/09 6:17 PM, Krishna Yenduri wrote:
>>> I am sponsoring this fast track for Hai-May Chao. The timer
>>> is set for 06/17/2009. Micro/patch binding is requested.
>>>
>>>
>>> Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI
>>> This information is Copyright 2009 Sun Microsystems
>>> 1. Introduction
>>>      1.1. Project/Component Working Name:
>>>      cryptoadm(1M) enhancement for FIPS-140 mode
>>>      1.2. Name of Document Author/Supplier:
>>>      Author: Hai-May Chao
>>>                   Valerie Fenwick
>>>                   Tony Scarpino
>>>      1.3  Date of This Document:
>>>     09 June, 2009
>>>
>>> 4. Technical Description
>>>
>>> 4.1 Proposal:
>>>
>>> Enhance cryptoadm interface to provide for enabling and disabling
>>> of the FIPS-140 mode of operations in the Cryptographic Framework.
>>>
>>> 4.2 Description:
>>>
>>> The Cryptographic Framework team is planning on obtaining FIPS 140-2
>>> certification. The cryptoadm command is the administrative front-end
>>> interface to the framework. This case is intended to add new features
>>> to cryptoadm(1M) that allow administrators to enable and disable the
>>> FIPS-140 mode in the Cryptographic Framework. Hence, this case
>>> represents the first set of changes to get prepared toward the FIPS
>>> 140-2 evaluation process.
>>>
>>> There will be two FIPS-140 modes of operations in the framework: enabled
>>> and disabled. The default FIPS-140 mode is disabled.
>>>
>>> When FIPS-140 mode is enabled, the Cryptographic Framework is put into
>>> FIPS-140 mode of operations. The non-approved FIPS algorithms 
>>> provided by
>>> the user-level pkcs11_softtoken provider and the kernel software 
>>> providers
>>> will not be disabled. It is up to the consumers of the framework to be
>>> responsible for using only FIPS approved algorithms and that will be
>>> documented in the Security Policy. This meets FIPS 140 level 2 
>>> requirements.
>>>
>>> As we start working with the certification lab, we anticipate there may
>>> be additional changes needed and those changes should be internal to the
>>> framework. The cryptoadm interface changes should stand by itself.
>>>
>>> The cryptoadm command will also be modified to display the active
>>> FIPS-140 mode setting.
>>>
>>> 4.3  Interfaces:
>>>
>>>   The following new options are added to cryptoadm(1M) sub-commands
>>>       cryptoadm list fips-140
>>>       cryptoadm enable fips-140
>>>       cryptoadm disable fips-140
>>>
>>>   Stability level is "committed".
>>>   Release binding is Micro/Patch.
>>>
>>>
>>> 4.4 Doc Impact:
>>>
>>>   The diff-marked cryptoadm(1M) man page is in the case directory.
>>>
>>> 5. Reference
>>>
>>> FIPS 140-2 Spec can be located at:
>>> http://csrc.nist.gov/publications/PubsFIPS.html
>>>
>>> 6. Resources and Schedule
>>>      6.4. Steering Committee requested information
>>>         6.4.1. Consolidation C-team Name:
>>>         ON
>>>      6.5. ARC review type: FastTrack
>>>      6.6. ARC Exposure: open
>>>
> 
> _______________________________________________
> crypto-discuss mailing list
> crypto-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crypto-discuss

More information about the opensolaris-arc mailing list