Forwarded From: Phillip Renouf <philliprat_private> Originally From: Jason Garms <jasongat_private> To: NTBUGTRAQat_private To clarify: Microsoft absolutely did NOT fail the FIPS 140-1 testing. The DSS CSP (the module being tested) has not been undergone final testing, so it is not possible that it failed. Some additional Q&As below with more information if you're interested. Thanks, -jasong Jason Garms Product Manager Windows NT Security Microsoft Corporation JasonGat_private Q: Did Microsoft Windows NT 4.0 (or other components) recently fail any FIPS 140-1 cryptography tests? A: No. Microsoft absolutely did NOT fail the FIPS 140-1 testing. The FIPS 140-1 evaluation process evaluates cryptographic modules, not operating systems. The component that Microsoft has submitted for evaluation is the Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider (CSP). The DSS CSP (the module being tested) has not been undergone final testing, so it is not possible that it failed. Microsoft recently received algorithm validation certificates for the multiple algorithms implemented in the Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider (CSP). This is a critical prerequisite for final FIPS 140-1 validation of the complete cryptomodule. Specifically, Microsoft has received validation certificates for the following algorithms as implemented in the DSS CSP: - DSA/SHA-1 according to FIPS 186-1 and FIPS 180-1. See http://csrc.nist.gov/cryptval/dss/dsaval.htm, item 17. - DES according to FIPS 46-2 and FIPS 81. See http://csrc.nist.gov/cryptval/des/desval.htm, item 45. Q: Did Microsoft's FIPS 140-1 testing lab find any security weaknesses in Microsoft Windows NT 4.0? A: No. The testing lab was never contracted to examine the security of the Microsoft Windows NT 4.0 operating system or the Microsoft CryptoAPI. Rather, the testing lab was hired specifically to test the Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider, a.k.a DSSENH.DLL, against the FIPS 140-1 standard. While accredited CMVP testing laboratories do make design and implementation recommendations back to the vendor to maximize the probability that a cryptomodule will achieve FIPS 140-1 validation, no redesign or changes in the core Windows NT product was required. Q: Will installation of the Microsoft FIPS 140-1 cryptomodule interfere with the operation of Internet Explorer 4.0, Outlook 98, or any other applications? A: No. The FIPS 140-1 validated Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider, a.k.a DSSENH.DLL, is a new cryptomodule that is being added to the arsenal of cryptomodules (a.k.a. cryptographic providers) already installed in Microsoft Windows 4.0 and does not replace and/or patch any existing cryptographic providers. Existing applications that have not been written to specifically take advantage of the DSS/Diffie-Hellman cipher suite will not be affected by installation of the Microsoft FIPS 140-1 cryptomodule in any way. While applications such as Internet Explorer 4.0 and Outlook 98 will not take advantage of the new Microsoft FIPS 140-1 cryptomodule, they will continue to work unaffected by the new cryptomodule by using the cryptographic providers preinstalled with Windows NT 4.0 and Internet Explorer 4.0. Updated products and features will take advantage of the FIPS cryptomodule. For example, Internet Explorer 5.0 can operate in a FIPS-compliant mode by using this cryptomodule. Q: How will the final FIPS 140-1 approved cryptomodule be shipped? A: It is not clear at this time what the shipping vehicle for a Windows NT 4.0 version of this CSP will be. As soon as the module completes evaluation, the shipping vehicle will be determined. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:39 PDT