|
List Info Thread: Re: Full Disk Encryption solutions selected for US Government use
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
Re: Full Disk Encryption solutions selected for US Government use |
|
List Info Thread: Re: Full Disk Encryption solutions selected for US Government use
[1]
|
||||||||||||
|
about | contact Other archives ( Real Estate discussion Medical topics ) |
||||||||||||
lt.gross.net> writes:
>FIPS 140(-2) is about validating cryptographic
implementations. It is not
>about certifying entire products that contain ample
functionality well
>outside the scope of cryptographic evaluation. That's
more of a Common
>Criteria thing.
Not necessarily. It's up to the vendor to draw the boundary
around what they
want evaluated. In some cases it's purely a single crypto
module, in others
it's significant portions of the application using the
crypto (and I guess
this would be the case for FDE, where pretty much the entire
application does
nothing but crypto). The advantage of the former is that
there's less to
evaluate, the advantage of the latter is that there's less
paperwork to handle
things like data crossing cryptomodule boundaries, which can
happen in cases
where most of your key management is done outside the core
crypto code.
However with the latter you can also declare large chunks of
your code non-
security-relevant and therefore out of scope, so you get the
benefits of a
fairly broad perimeter but not too much actual code to get
checked. It's
give-and-take with the evaluators, generally you juggle
things to get the most
benefit for the least amount of work (which doesn't
necessarily correspond to
the most thorough evaluation).
>OpenSSL FIPS Object Module 1.1.1 has FIPS 140-2 when
running on SUSE 9.0 and
>HPUX 11i, according to
>
><