Squeak FIPS 140-2 level 2 certification

All,

I've just finished meeting with a testing lab concerning Squeak FIPS 140-2
level 2 cryptographic certification.  I would like to share the results of
that meeting.  

Background:

OpenSSL has received FIPS 140-2 certification.  The fact that an open source
project has received certification of their cryptographic module opens the
door, in my opinion, for others to do the same.  We have an opportunity to
learn from their mistakes and success.  

Having the certification does a lot for our community.  Having the
certification opens the door for government agencies to use squeak, it
allows businesses that work with government to use squeak, and it allows
businesses that have high security requirements (which today with the advent
of Sarbanes/Oxley in the US means all public companies, or with HIPAA all
medical companies) to use squeak.  Also we should consider the effects
having the certification will have on using Croquet for secure collaboration
over insecure networks like the internet.  Plus it would help to generate
some publicity.

Having the certification is not the only way to go.  Of course secure
networking can be accomplished with other means, and there is a lot that the
cryptography group can do to help make that easier for the community to
accomplish.  There are benefits to both paths that I would like to point
out.  

Having our own libraries written in Smalltalk enhances our ability to
educate developers on cryptology.  It allows for more flexibility and
creativity for supporting higher level protocols like SSL/TLS, SFTP,
S-Mime... .  Our certification may help to attract a wider security
audience, developers, and contributors to Squeak.

Using an external certified library instead of an internal squeak library
allows us to focus on delivering Crytographic software and less on the
cryptology itself.  Using OpenSSL allows us to leverage their experience to
enhance our software and leaves the onus and costs of certification to them.

Meeting Summary:

I met with SAIC which is a US Government approved testing lab, in Columbia
Maryland.  We discussed the following:

Can a Smalltalk cryptographic library be isolated enough to allow developers
to use the FIPS 140-2 certification to develop software that would also be
considered FIPS 140-2 certified?

The answer to this question is not simple and will have to be addressed in
the initial assessment, the security policy documentation, the testing
process, and by the government in its approval.  In order for software
developed from our certified squeak library to be considered FIPS 140-2
certified it must be able to show that it is using the cryptographic library
unmodified, that the approved library was loaded and that the library is not
modifiable.  There are a number of ways that this can be accomplished, but
none of them are simple.  (My first thought was to identify and sign our
packages and to change the VM to check the signature on startup and to not
allow for changes to signed code.  This functionality of signing packages
may be useful regardless of our decision to pursue certification).

What would be required from the cryptography team to get certification?

We would have to implement all the standard tests and show that they all
pass.  We would have to write a security policy (we can use the OpenSSL
security policy as a starting point).  We would have to work with the lab to
prove our code can be isolated, and make changes as required.

Is additional padding in cipher text on a standard test considered a passing
test? (This question is for the cryptography team)

Standard tests are evaluated individually, but additional padding is usually
disregarded when validating an algorithm.  Additional padding can be added
and still pass.

How long will the process take?

The lab offers an initial assessment which can be used to identify gaps and
to help us plan our security policy.  The assessment takes about 10-14 days
to complete.  At the end of the assessment we receive a detailed assessment
report.

The lab can write the security policy for us, they can also suggest outside
consultants, or this is something that we could decide to do ourselves.  The
security policy will take several months to complete.

The lab testing itself along with government communications and adjustments
will take between 1 to 4 months to complete

The Government certification itself will take between 8 to 12 months after
lab testing is complete to get final approval.  

How much will all this cost?

The costs are considerable.  If we do most of the work ourselves we can get
testing alone for USD $25K.  If we start with an initial assessment and let
the lab do the documentation it will cost USD $75K.  

Next Steps:

There are no real next steps for now except to discuss if this is important
enough for the community to pursue.  Certification is a goal that has been
identified by the cryptography team, but we can not accomplish this alone.
Broader community support will be needed to get it done.

Please give me your opinion.  I hope that I've given you enough information
for you to comment, if not please feel free to ask questions.

Thank you,

Ron Teitelbaum
President / Principal Software Engineer
US Medical Record Specialists
[hidden email]
Squeak Cryptography Team Leader





_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography