Home page logo

basics logo Security Basics mailing list archives

FIPS 140-x validation
From: William Kupersanin <kuper () Glue umd edu>
Date: Wed, 24 Mar 2004 19:43:58 -0500 (EST)


I am wondering if there are other government types on this list that are
working to comply with FIPS 140-2 and how it impacts them. As it has been
presented at my workplace, nothing using cryptography can be purchased and
used unless it (or the cryptographic module within) has been validated to
FIPS 140-1 or 140-2 by NIST.

I must misunderstand the mandate.

It's bad enough that openSSL hasn't been validated yet so Apache and
openSSH are no-go's, but most of the hashing algorithms used to hash
passwords in the various operating systems aren't even compliant.

It was suggested to me that I could look to commercial libraries to
replace crypt with something that is validated but AFAIK that means
replacing libc on some systems. I'm not comfortable with that.

Does anyone have any perspective on how FIPS 140-x compliance might
actually work?


Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 

  By Date           By Thread  

Current thread:
  • FIPS 140-x validation William Kupersanin (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]