Forwarded From: Nelson Murilo <nelsonat_private> [http://www.wired.com/news/news/technology/story/14757.html] Microsoft Tries Government Crypto by Kristen Philipkoski 4:00am 1.Sep.98.PDT Microsoft announced Monday that it will add support in its Windows NT products for a US government encryption protocol used to scramble sensitive, but nonclassified, communications. The Fortezza protocol was recently declassified, opening the door for third-party developers like Microsoft to use it in commercial software products. But before Microsoft can sell its Fortezza-encrypted Windows NT products to government agencies, it must pass a test implemented by the National Institute of Standards Technology (NIST) called the Federal Information Processing Standard (FIPS). The FIPS 140-1 test describes the government's requirements for hardware and software products using encryption. If NT passes muster, Microsoft (MSFT) plans to supply products for several US Department of Defense initiatives, including messaging systems and network security frameworks. Does that mean it will boost security in government-run computer networks? "It will make security a little bit easier," said Bruce Schneier, author of Applied Cryptography and president of Counterpane Systems. "Now it will get wider use. Its a lot better than no Fortezza. Theres nothing less secure than a product that isnt used." The algorithms for Fortezza and other government encryption protocols were classified until 23 June when the National Security Agency (NSA) released the codes for use in commercial software. Some observers think the government's crypto protocols shouldn't have been released at all. David Banisar, policy director at the Electronic Privacy Information Center said the Fortezza standard is "slow, dumb, and it doesnt do a very good job.... Five years ago, they announced the Fortezza card and the clipper chip and said 'No, we cant give you that because it will threaten the national security.' The thing went nowhere, they shut down the security lines. They realized no one wants to use this garbage." In supporting the standard, Microsoft will be able to secure more government contracts for its products -- and get a marketing tool for Windows NT, to boot. "It gives us an evaluation and gives customers confidence," said Karan Khanna, lead product manager for Windows NT security. NIST representatives said the FIPS test is not meant as an endorsement of a vendors' product but is merely a verification that it meets government requirements. "We have three accredited testing labs," explained Jim Foti, a member of the technical staff of the computer security division at NIST. "(They will) provide us with a final testing report, then well issue a validation standard certificate. Its not endorsement; its validation that the requirements have been met." Schneier was quick to add that the Fortezza crypto is only one component of a network's security framework. "This has nothing to do with NT security per se," Schneier said. "Its like adding secure telephones to your home -- it has to do with the security of your communication, not the security of your house. It wont affect other security holes." Spyrus, the main vendor of Fortezza products, is working with Microsoft on its CryptoAPI programming interfaces to ensure FIPS compliance. CygnaCom Solutions will test the Microsoft products for FIPS certification. Microsofts Exchange and Outlook client software currently support Fortezza. Eventually, the company plans to add it to Internet Information Services and Internet Explorer 5. Microsoft's expects the cryptographic module to pass the FIPS 140-1 test and be available for the Windows NT Server version 4.0 and Workstation 4.0 by the end of the year. The company also expects that the FIPS-approved software will ship as a core component of the system's version 5.0. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:02:51 PDT