[ISN] Microsoft says NT to support government encryption

From: mea culpa (jerichoat_private)
Date: Thu Sep 03 1998 - 04:07:55 PDT

  • Next message: mea culpa: "[ISN] Corporate Snoops Sharpen Skills"

    Forwarded From: Gary Porter <grporterat_private>
    
    Tuesday September 1 12:43 PM EDT
    
    Microsoft says NT to support government encryption
    By Kristen Philipkoski
    
    SAN FRANCISCO (Wired) - Microsoft announced Monday that it will add
    support in its Windows NT products for a US government encryption protocol
    used to scramble sensitive, but nonclassified, communications. 
    
    The Fortezza protocol was recently declassified, opening the door for
    third-party developers like Microsoft to use it in commercial software
    products. 
    
    But before Microsoft Corp (MSFT - news) can sell its Fortezza-encrypted
    Windows NT products to government agencies, it must pass a test
    implemented by the National Institute of Standards Technology (NIST)
    called the Federal Information Processing Standard (FIPS). The FIPS 140-1
    test describes the government's requirements for hardware and software
    products using encryption. 
    
    If NT passes muster, Microsoft plans to supply products for several US
    Department of Defense initiatives, including messaging systems and network
    security frameworks. 
    
    Does that mean it will boost security in government-run computer networks? 
    
    ``It will make security a little bit easier,'' said Bruce Schneier, author
    of Applied Cryptography and president of Counterpane Systems. ``Now it
    will get wider use. It's a lot better than no Fortezza. There's nothing
    less secure than a product that isn't used.''
    
    The algorithms for Fortezza and other government encryption protocols were
    classified until June 23 when the National Security Agency (NSA) released
    the codes for use in commercial software. Some observers think the
    government's crypto protocols shouldn't have been released at all. 
    
    David Banisar, policy director at the Electronic Privacy Information
    Center said the Fortezza standard is ``slow, dumb, and it doesn't do a
    very good job.... Five years ago, they announced the Fortezza card and the
    clipper chip and said 'No, we can't give you that because it will threaten
    the national security.' The thing went nowhere, they shut down the
    security lines. They realized no one wants to use this garbage.''
    
    In supporting the standard, Microsoft will be able to secure more
    government contracts for its products-and get a marketing tool for Windows
    NT, to boot. ``It gives us an evaluation and gives customers confidence,''
    said Karan Khanna, lead product manager for Windows NT security. 
    
    NIST representatives said the FIPS test is not meant as an endorsement of
    a vendors' product but is merely a verification that it meets government
    requirements. 
    
    ``We have three accredited testing labs,'' explained Jim Foti, a member of
    the technical staff of the computer security division at NIST. ``(They
    will) provide us with a final testing report, then we'll issue a
    validation standard certificate. It's not endorsement; it's validation
    that the requirements have been met.''
    
    Schneier was quick to add that the Fortezza crypto is only one component
    of a network's security framework. 
    
    ``This has nothing to do with NT security per se,'' Schneier said. ``It's
    like adding secure telephones to your home-it has to do with the security
    of your communication, not the security of your house. It won't affect
    other security holes.''
    
    Spyrus, the main vendor of Fortezza products, is working with Microsoft on
    its CryptoAPI programming interfaces to ensure FIPS compliance. CygnaCom
    Solutions will test the Microsoft products for FIPS certification. 
    
    Microsoft's Exchange and Outlook client software currently support
    Fortezza. Eventually, the company plans to add it to Internet Information
    Services and Internet Explorer 5. 
    
    Microsoft's expects the cryptographic module to pass the FIPS 140-1 test
    and be available for the Windows NT Server version 4.0 and Workstation 4.0
    by the end of the year. The company also expects that the FIPS-approved
    software will ship as a core component of the system's version 5.0. 
    (Reuters/Wired) 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:03:03 PDT