[ISN] Re: NT 4.0 fails FIPS 140-1 testing (fwd) [correction] (fwd)

From: mea culpa (jerichoat_private)
Date: Thu Jan 21 1999 - 12:10:41 PST

  • Next message: mea culpa: "[ISN] Rubi Con 1999 - Announce"

    Forwarded From: Phillip Renouf <philliprat_private>
    Originally From: Jason Garms <jasongat_private>
    To: NTBUGTRAQat_private
    
    To clarify: Microsoft absolutely did NOT fail the FIPS 140-1 testing. The
    DSS CSP (the module being tested) has not been undergone final testing, so
    it is not possible that it failed.
    
    Some additional Q&As below with more information if you're interested. 
    
    Thanks,
    -jasong
    
    Jason Garms
    Product Manager
    Windows NT Security
    Microsoft Corporation
    JasonGat_private
    
    
    Q: Did Microsoft Windows NT 4.0 (or other components) recently fail any FIPS
    140-1 cryptography tests?
    A: No. Microsoft absolutely did NOT fail the FIPS 140-1 testing. The FIPS
    140-1 evaluation process evaluates cryptographic modules, not operating
    systems. The component that Microsoft has submitted for evaluation is the
    Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider (CSP). The DSS
    CSP (the module being tested) has not been undergone final testing, so it is
    not possible that it failed.
    
    Microsoft recently received algorithm validation certificates for the
    multiple algorithms implemented in the Microsoft Enhanced DSS/Diffie-Hellman
    Cryptographic Provider (CSP). This is a critical prerequisite for final FIPS
    140-1 validation of the complete cryptomodule. Specifically, Microsoft has
    received validation certificates for the following algorithms as implemented
    in the DSS CSP:
    - DSA/SHA-1 according to FIPS 186-1 and FIPS 180-1. See
      http://csrc.nist.gov/cryptval/dss/dsaval.htm, item 17.
    - DES according to FIPS 46-2 and FIPS 81. See
      http://csrc.nist.gov/cryptval/des/desval.htm, item 45.
    
    Q: Did Microsoft's FIPS 140-1 testing lab find any security weaknesses in
    Microsoft Windows NT 4.0?
    A: No. The testing lab was never contracted to examine the security of the
    Microsoft Windows NT 4.0 operating system or the Microsoft CryptoAPI.
    Rather, the testing lab was hired specifically to test the Microsoft
    Enhanced DSS/Diffie-Hellman Cryptographic Provider, a.k.a DSSENH.DLL,
    against the FIPS 140-1 standard. While accredited CMVP testing laboratories
    do make design and implementation recommendations back to the vendor to
    maximize the probability that a cryptomodule will achieve FIPS 140-1
    validation, no redesign or changes in the core Windows NT product was
    required.
    
    Q: Will installation of the Microsoft FIPS 140-1 cryptomodule interfere with
    the operation of Internet Explorer 4.0, Outlook 98, or any other
    applications?
    A: No. The FIPS 140-1 validated Microsoft Enhanced DSS/Diffie-Hellman
    Cryptographic Provider, a.k.a DSSENH.DLL, is a new cryptomodule that is
    being added to the arsenal of cryptomodules (a.k.a. cryptographic providers)
    already installed in Microsoft Windows 4.0 and does not replace and/or patch
    any existing cryptographic providers. Existing applications that have not
    been written to specifically take advantage of the DSS/Diffie-Hellman cipher
    suite will not be affected by installation of the Microsoft FIPS 140-1
    cryptomodule in any way. While applications such as Internet Explorer 4.0
    and Outlook 98 will not take advantage of the new Microsoft FIPS 140-1
    cryptomodule, they will continue to work unaffected by the new cryptomodule
    by using the cryptographic providers preinstalled with Windows NT 4.0 and
    Internet Explorer 4.0. Updated products and features will take advantage of
    the FIPS cryptomodule. For example, Internet Explorer 5.0 can operate in a
    FIPS-compliant mode by using this cryptomodule.
    
    Q: How will the final FIPS 140-1 approved cryptomodule be shipped?
    A: It is not clear at this time what the shipping vehicle for a Windows NT
    4.0 version of this CSP will be. As soon as the module completes evaluation,
    the shipping vehicle will be determined.
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:16:39 PDT