Re: Fwd: How important is FIPS 140-2 Level 1 cert?

[felix-dailydave () fefe de]

Thus spake Saqib Ali (docbook.xml () gmail com):
> The following excellent post by Karl Levinson appeared on
> Security-Basics mailing list:

> ---------- Forwarded message ----------

> FIPS certification is only one of many factors that might indicate how
> secure a system will be in actual use, and unless you're in the US
> Federal government, it is arguably not one of the most useful things
> you should be looking at.

FIPS indicates no such thing.

FIPS indicates that your device has passed some rudimentary
functionality tests.  It does NOT mean that some agency looked at your
product and found no backdoors.  Nobody even tried.

FIPS basically says that someone took a few test vectors, ran the
product algorithms on them, and the right results came out.

Frankly, that does not mean anything.  It's rubber stamp.
Companies do that to sway gullible customers.

> Like NIAP Common Criteria, FIPS certification is probably expensive
> and time consuming for the vendor, so that the products that get it
> would tend to be older products from larger, more monolithic
> companies, which may not necessarily guarantee you're getting
> superlative security.

Haha, well said.

In my experience there is no quality difference between large and small
companies.  What differs is that often smaller companies react quicker
to security issues, because for them more is at stake.

> Bottom line, make sure you know what FIPS certification does and
> doesn't guarantee.  I'm not sure I would pay double for a product that
> might be less secure than the cheaper solution, depending on how
> exactly it's implemented.  But then that also depends on your security
> needs and your tolerance for various kinds of risk, so there's no one
> universal answer that is true for all.

Since FIPS does not gurantee anything tangible, I would generally stay
clear of FIPS certified products.  It means the vendor rather spent
money on a dubious certification than on making the product better.

Now, story time. :-)

I once had this revealing discussion with the head of the German agency
that does this kind of certification.  I asked him what kind of bugs
they would have to find so a product does not get certified.  And he
said: all products get certified.  They don't look for bugs.  Even if
they wanted to, they don't have the manpower.  So I asked, if a really
obvious back door happened to fall in their lap, what would they do.
And he said they had that case once.  They complained and got shot down
for it politically.  Turns out it was some kind of NATO thing.  *cough*

I wanted to know if the level of certification makes a difference.  No,
it doesn't.  If they think a product sucks, they can only signal that by
the recommendation they give to state agencies up to what secrecy level
that device can be used.  The same way they recommend how big the
stripes of the paper shredder needs to be, they have levels for
confidentiality in internal usage for other areas, too, like crypto
software.  And that's where they can say whether they think the product
is any good.

So, in conclusion: FIPS may not be outright fraud, but advertising it as
a certificate for security achievements is pretty borderline.

Felix

PS: if anyone asks me about the above story, I'll deny everything.
This email will self destruct in 5 seconds.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave