[ISN] NT 4.0 flunks cryptography test

From: mea culpa (jerichoat_private)
Date: Mon Jan 18 1999 - 17:32:13 PST

  • Next message: mea culpa: "[ISN] Intrusion Detection White Paper - Request for your comments"

    NT 4.0 flunks cryptography test
    Another service pack fix and interoperability woes for users are the results.
    By Ellen Messmer
    Network World, 01/11/99
    Washington, D.C.
    Last summer, Microsoft hoped to see NT 4.0 breeze through government tests
    of encryption features such as Data Encryption Standard and digital
    signatures. But things didn't go exactly as planned. Products must pass
    the Federal Information Processing Standard (FIPS) 140-1 certification
    test before they can be sold to the U.S. and Canadian governments. Not
    only did the Redmond, Wash., giant fail the cryptography tests, but
    Microsoft officials now acknowledge that the lab scrutiny exposed
    shortcomings in NT's cryptographic processing that will force Microsoft to
    redesign the operating system. Microsoft expects to issue a service-pack
    upgrade later this year - once NT finally makes it through FIPS 140-1
    testing. "We expect this to happen early in the first quarter, but we have
    to allow for additional delays," says Patrick Arnold, program manager at
    Microsoft Federal Systems. The Microsoft code fix, however, will prevent
    users who apply it from using Internet Explorer 4.0, Outlook 98 and
    perhaps other applications, such as the Microsoft Internet Information
    Server. "Only Internet Explorer 5.0 will know how to work in FIPS mode," 
    Arnold explains, adding Microsoft is still assessing the application
    interoperability problems that will result from the fix. Microsoft has
    already released NT Service Pack 4, which was supposed to be the last
    upgrade for NT 4.0. The company has not yet announced the FIPS upgrade and
    has not explained whether all users - or just the ones that need the FIPS
    compliance - will be urged to upgrade. The problems, which were uncovered
    at CygnaCom Solutions, a government-certified testing lab, are related to
    NT 4.0's CryptoAPIs. 
    Government reaction
    Government users, especially the Department of Defense, which bought tens
    of thousands of NT 4.0 servers, are bracing for impact. "Will our
    department upgrade and work through the interoperability problems? 
    Absolutely," says Dick Schaeffer, a Defense Department security manager. 
    "FIPS 140-1 is an important benchmark that tells us an encryption module
    is working right." Prodded by the Defense Department to meet government
    encryption standards, Microsoft insists that NT 4.0 and NT 5.0 will
    henceforth be designed around FIPS 140-1. And there will be only one
    version of NT - the FIPS version - sold to the government and commercial
    sectors. Microsoft admits it might have sidestepped the interoperability
    mess if it had gotten into the government's test program earlier. "We got
    into this a bit late," Arnold confesses. "We weren't effectively paying
    attention." Late indeed. The FIPS 140-1 test program was started five
    years ago by the National Institute of Standards and Technology (NIST),
    with help from the National Security Agency. During the past two years,
    the government established a vigorous test regime with three certified
    labs. Last year, agencies were told they had to start buying FIPS 140-1
    products to protect sensitive but unclassified information. To date, about
    30 products have won FIPS 140-1 certification, including Netscape's
    Communicator client software and SuiteSpot server. According to NIST
    officials, 30 other products are undergoing testing. Government agencies -
    in theory - shouldn't be using NT to protect sensitive but unclassified
    information because it isn't FIPS 140-1certified, says Miles Smid, manager
    of security technology at NIST. Agencies can ask for a waiver, but the
    reality is that none have bothered - the lack of FIPS 140-1 products in
    the market seems to be excuse enough. "FIPS 140-1 is very important, but
    there aren't enough products to buy," says the Defense Department's
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:22 PDT