http://www.nwfusion.com/news/0111ntcrypt.html NT 4.0 flunks cryptography test Another service pack fix and interoperability woes for users are the results. By Ellen Messmer Network World, 01/11/99 Washington, D.C. Last summer, Microsoft hoped to see NT 4.0 breeze through government tests of encryption features such as Data Encryption Standard and digital signatures. But things didn't go exactly as planned. Products must pass the Federal Information Processing Standard (FIPS) 140-1 certification test before they can be sold to the U.S. and Canadian governments. Not only did the Redmond, Wash., giant fail the cryptography tests, but Microsoft officials now acknowledge that the lab scrutiny exposed shortcomings in NT's cryptographic processing that will force Microsoft to redesign the operating system. Microsoft expects to issue a service-pack upgrade later this year - once NT finally makes it through FIPS 140-1 testing. "We expect this to happen early in the first quarter, but we have to allow for additional delays," says Patrick Arnold, program manager at Microsoft Federal Systems. The Microsoft code fix, however, will prevent users who apply it from using Internet Explorer 4.0, Outlook 98 and perhaps other applications, such as the Microsoft Internet Information Server. "Only Internet Explorer 5.0 will know how to work in FIPS mode," Arnold explains, adding Microsoft is still assessing the application interoperability problems that will result from the fix. Microsoft has already released NT Service Pack 4, which was supposed to be the last upgrade for NT 4.0. The company has not yet announced the FIPS upgrade and has not explained whether all users - or just the ones that need the FIPS compliance - will be urged to upgrade. The problems, which were uncovered at CygnaCom Solutions, a government-certified testing lab, are related to NT 4.0's CryptoAPIs. Government reaction Government users, especially the Department of Defense, which bought tens of thousands of NT 4.0 servers, are bracing for impact. "Will our department upgrade and work through the interoperability problems? Absolutely," says Dick Schaeffer, a Defense Department security manager. "FIPS 140-1 is an important benchmark that tells us an encryption module is working right." Prodded by the Defense Department to meet government encryption standards, Microsoft insists that NT 4.0 and NT 5.0 will henceforth be designed around FIPS 140-1. And there will be only one version of NT - the FIPS version - sold to the government and commercial sectors. Microsoft admits it might have sidestepped the interoperability mess if it had gotten into the government's test program earlier. "We got into this a bit late," Arnold confesses. "We weren't effectively paying attention." Late indeed. The FIPS 140-1 test program was started five years ago by the National Institute of Standards and Technology (NIST), with help from the National Security Agency. During the past two years, the government established a vigorous test regime with three certified labs. Last year, agencies were told they had to start buying FIPS 140-1 products to protect sensitive but unclassified information. To date, about 30 products have won FIPS 140-1 certification, including Netscape's Communicator client software and SuiteSpot server. According to NIST officials, 30 other products are undergoing testing. Government agencies - in theory - shouldn't be using NT to protect sensitive but unclassified information because it isn't FIPS 140-1certified, says Miles Smid, manager of security technology at NIST. Agencies can ask for a waiver, but the reality is that none have bothered - the lack of FIPS 140-1 products in the market seems to be excuse enough. "FIPS 140-1 is very important, but there aren't enough products to buy," says the Defense Department's Schaeffer. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:22 PDT