[ISN] Microsoft Tries Government Crypto

From: mea culpa (jerichoat_private)
Date: Tue Sep 01 1998 - 18:37:52 PDT

  • Next message: mea culpa: "[ISN] E-Commerce Causes Security Woes"

    Forwarded From: Nelson Murilo <nelsonat_private>
    
    [http://www.wired.com/news/news/technology/story/14757.html]
    
    Microsoft Tries Government Crypto
    by Kristen Philipkoski
    4:00am  1.Sep.98.PDT
    
    Microsoft announced Monday that it will add support in its Windows NT
    products for a US government encryption protocol used to scramble
    sensitive, but nonclassified, communications. The Fortezza protocol was
    recently declassified, opening the door for third-party developers like
    Microsoft to use it in commercial software products. 
    
    But before Microsoft can sell its Fortezza-encrypted Windows NT products
    to government agencies, it must pass a test implemented by the National
    Institute of Standards Technology (NIST) called the Federal Information
    Processing Standard (FIPS). The FIPS 140-1 test describes the government's
    requirements for hardware and software products using encryption. 
    
    If NT passes muster, Microsoft (MSFT) plans to supply products for several
    US Department of Defense initiatives, including messaging systems and
    network security frameworks. 
    
    Does that mean it will boost security in government-run computer networks? 
    
    "It will make security a little bit easier," said Bruce Schneier, author
    of Applied Cryptography and president of Counterpane Systems.  "Now it
    will get wider use. Its a lot better than no Fortezza. Theres nothing less
    secure than a product that isnt used." 
    
    The algorithms for Fortezza and other government encryption protocols were
    classified until 23 June when the National Security Agency (NSA)  released
    the codes for use in commercial software. Some observers think the
    government's crypto protocols shouldn't have been released at all. 
    
    David Banisar, policy director at the Electronic Privacy Information
    Center said the Fortezza standard is "slow, dumb, and it doesnt do a very
    good job.... Five years ago, they announced the Fortezza card and the
    clipper chip and said 'No, we cant give you that because it will threaten
    the national security.' The thing went nowhere, they shut down the
    security lines. They realized no one wants to use this garbage." 
    
    In supporting the standard, Microsoft will be able to secure more
    government contracts for its products -- and get a marketing tool for
    Windows NT, to boot. "It gives us an evaluation and gives customers
    confidence," said Karan Khanna, lead product manager for Windows NT
    security. 
    
    NIST representatives said the FIPS test is not meant as an endorsement of
    a vendors' product but is merely a verification that it meets government
    requirements. 
    
    "We have three accredited testing labs," explained Jim Foti, a member of
    the technical staff of the computer security division at NIST.  "(They
    will) provide us with a final testing report, then well issue a validation
    standard certificate. Its not endorsement; its validation that the
    requirements have been met." 
    
    Schneier was quick to add that the Fortezza crypto is only one component
    of a network's security framework. 
    
    "This has nothing to do with NT security per se," Schneier said. "Its like
    adding secure telephones to your home -- it has to do with the security of
    your communication, not the security of your house. It wont affect other
    security holes." 
    
    Spyrus, the main vendor of Fortezza products, is working with Microsoft on
    its CryptoAPI programming interfaces to ensure FIPS compliance. CygnaCom
    Solutions will test the Microsoft products for FIPS certification. 
    
    Microsofts Exchange and Outlook client software currently support
    Fortezza. Eventually, the company plans to add it to Internet Information
    Services and Internet Explorer 5. 
    
    Microsoft's expects the cryptographic module to pass the FIPS 140-1 test
    and be available for the Windows NT Server version 4.0 and Workstation 4.0
    by the end of the year. The company also expects that the FIPS-approved
    software will ship as a core component of the system's version 5.0. 
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:51 PDT