All,
I've just finished meeting with a testing lab concerning Squeak FIPS 140-2 level 2 cryptographic certification. I would like to share the results of that meeting. Background: OpenSSL has received FIPS 140-2 certification. The fact that an open source project has received certification of their cryptographic module opens the door, in my opinion, for others to do the same. We have an opportunity to learn from their mistakes and success. Having the certification does a lot for our community. Having the certification opens the door for government agencies to use squeak, it allows businesses that work with government to use squeak, and it allows businesses that have high security requirements (which today with the advent of Sarbanes/Oxley in the US means all public companies, or with HIPAA all medical companies) to use squeak. Also we should consider the effects having the certification will have on using Croquet for secure collaboration over insecure networks like the internet. Plus it would help to generate some publicity. Having the certification is not the only way to go. Of course secure networking can be accomplished with other means, and there is a lot that the cryptography group can do to help make that easier for the community to accomplish. There are benefits to both paths that I would like to point out. Having our own libraries written in Smalltalk enhances our ability to educate developers on cryptology. It allows for more flexibility and creativity for supporting higher level protocols like SSL/TLS, SFTP, S-Mime... . Our certification may help to attract a wider security audience, developers, and contributors to Squeak. Using an external certified library instead of an internal squeak library allows us to focus on delivering Crytographic software and less on the cryptology itself. Using OpenSSL allows us to leverage their experience to enhance our software and leaves the onus and costs of certification to them. Meeting Summary: I met with SAIC which is a US Government approved testing lab, in Columbia Maryland. We discussed the following: Can a Smalltalk cryptographic library be isolated enough to allow developers to use the FIPS 140-2 certification to develop software that would also be considered FIPS 140-2 certified? The answer to this question is not simple and will have to be addressed in the initial assessment, the security policy documentation, the testing process, and by the government in its approval. In order for software developed from our certified squeak library to be considered FIPS 140-2 certified it must be able to show that it is using the cryptographic library unmodified, that the approved library was loaded and that the library is not modifiable. There are a number of ways that this can be accomplished, but none of them are simple. (My first thought was to identify and sign our packages and to change the VM to check the signature on startup and to not allow for changes to signed code. This functionality of signing packages may be useful regardless of our decision to pursue certification). What would be required from the cryptography team to get certification? We would have to implement all the standard tests and show that they all pass. We would have to write a security policy (we can use the OpenSSL security policy as a starting point). We would have to work with the lab to prove our code can be isolated, and make changes as required. Is additional padding in cipher text on a standard test considered a passing test? (This question is for the cryptography team) Standard tests are evaluated individually, but additional padding is usually disregarded when validating an algorithm. Additional padding can be added and still pass. How long will the process take? The lab offers an initial assessment which can be used to identify gaps and to help us plan our security policy. The assessment takes about 10-14 days to complete. At the end of the assessment we receive a detailed assessment report. The lab can write the security policy for us, they can also suggest outside consultants, or this is something that we could decide to do ourselves. The security policy will take several months to complete. The lab testing itself along with government communications and adjustments will take between 1 to 4 months to complete The Government certification itself will take between 8 to 12 months after lab testing is complete to get final approval. How much will all this cost? The costs are considerable. If we do most of the work ourselves we can get testing alone for USD $25K. If we start with an initial assessment and let the lab do the documentation it will cost USD $75K. Next Steps: There are no real next steps for now except to discuss if this is important enough for the community to pursue. Certification is a goal that has been identified by the cryptography team, but we can not accomplish this alone. Broader community support will be needed to get it done. Please give me your opinion. I hope that I've given you enough information for you to comment, if not please feel free to ask questions. Thank you, Ron Teitelbaum President / Principal Software Engineer US Medical Record Specialists [hidden email] Squeak Cryptography Team Leader winmail.dat (13K) Download Attachment |
Hi Ron -
> Also we should consider the effects having the certification > will have on using Croquet for secure collaboration > over insecure networks like the internet. An interesting thought. I have forwarded your message to the Croquet committee, but personally speaking I don't think we're quite at the point where the certification really matters. But of course, there would be no harm in having it anyway. Cheers, - Andreas Ron Teitelbaum wrote: > All, > > I've just finished meeting with a testing lab concerning Squeak FIPS 140-2 > level 2 cryptographic certification. I would like to share the results of > that meeting. > > Background: > > OpenSSL has received FIPS 140-2 certification. The fact that an open source > project has received certification of their cryptographic module opens the > door, in my opinion, for others to do the same. We have an opportunity to > learn from their mistakes and success. > > Having the certification does a lot for our community. Having the > certification opens the door for government agencies to use squeak, it > allows businesses that work with government to use squeak, and it allows > businesses that have high security requirements (which today with the advent > of Sarbanes/Oxley in the US means all public companies, or with HIPAA all > medical companies) to use squeak. Also we should consider the effects > having the certification will have on using Croquet for secure collaboration > over insecure networks like the internet. Plus it would help to generate > some publicity. > > Having the certification is not the only way to go. Of course secure > networking can be accomplished with other means, and there is a lot that the > cryptography group can do to help make that easier for the community to > accomplish. There are benefits to both paths that I would like to point > out. > > Having our own libraries written in Smalltalk enhances our ability to > educate developers on cryptology. It allows for more flexibility and > creativity for supporting higher level protocols like SSL/TLS, SFTP, > S-Mime... . Our certification may help to attract a wider security > audience, developers, and contributors to Squeak. > > Using an external certified library instead of an internal squeak library > allows us to focus on delivering Crytographic software and less on the > cryptology itself. Using OpenSSL allows us to leverage their experience to > enhance our software and leaves the onus and costs of certification to them. > > Meeting Summary: > > I met with SAIC which is a US Government approved testing lab, in Columbia > Maryland. We discussed the following: > > Can a Smalltalk cryptographic library be isolated enough to allow developers > to use the FIPS 140-2 certification to develop software that would also be > considered FIPS 140-2 certified? > > The answer to this question is not simple and will have to be addressed in > the initial assessment, the security policy documentation, the testing > process, and by the government in its approval. In order for software > developed from our certified squeak library to be considered FIPS 140-2 > certified it must be able to show that it is using the cryptographic library > unmodified, that the approved library was loaded and that the library is not > modifiable. There are a number of ways that this can be accomplished, but > none of them are simple. (My first thought was to identify and sign our > packages and to change the VM to check the signature on startup and to not > allow for changes to signed code. This functionality of signing packages > may be useful regardless of our decision to pursue certification). > > What would be required from the cryptography team to get certification? > > We would have to implement all the standard tests and show that they all > pass. We would have to write a security policy (we can use the OpenSSL > security policy as a starting point). We would have to work with the lab to > prove our code can be isolated, and make changes as required. > > Is additional padding in cipher text on a standard test considered a passing > test? (This question is for the cryptography team) > > Standard tests are evaluated individually, but additional padding is usually > disregarded when validating an algorithm. Additional padding can be added > and still pass. > > How long will the process take? > > The lab offers an initial assessment which can be used to identify gaps and > to help us plan our security policy. The assessment takes about 10-14 days > to complete. At the end of the assessment we receive a detailed assessment > report. > > The lab can write the security policy for us, they can also suggest outside > consultants, or this is something that we could decide to do ourselves. The > security policy will take several months to complete. > > The lab testing itself along with government communications and adjustments > will take between 1 to 4 months to complete > > The Government certification itself will take between 8 to 12 months after > lab testing is complete to get final approval. > > How much will all this cost? > > The costs are considerable. If we do most of the work ourselves we can get > testing alone for USD $25K. If we start with an initial assessment and let > the lab do the documentation it will cost USD $75K. > > Next Steps: > > There are no real next steps for now except to discuss if this is important > enough for the community to pursue. Certification is a goal that has been > identified by the cryptography team, but we can not accomplish this alone. > Broader community support will be needed to get it done. > > Please give me your opinion. I hope that I've given you enough information > for you to comment, if not please feel free to ask questions. > > Thank you, > > Ron Teitelbaum > President / Principal Software Engineer > US Medical Record Specialists > [hidden email] > Squeak Cryptography Team Leader > > > > > > > ------------------------------------------------------------------------ > > |
Free forum by Nabble | Edit this page |