NCipher Takes Hardware Security To Network Level
Joshua Hill
josh-lists at untruth.org
Mon Oct 6 20:10:53 EDT 2003
> In fact, if you're clever, you can manage to not trouble yourself to get
> the key-management, etc. certified, getting only the simple, symmetric-cipher
> stuff run through the process.
You can, but that doesn't mean that it's ok.
Key management is explicitly covered under FIPS 140-2. If you have an
underlying FIPS 140-2 module doing the basic low level crypto, and then
have (crypto based) key management performed outside the module boundary,
the larger system is not a FIPS 140-2 module, FIPS 140-2 compliant, or
appropriate for the protection of sensitive but unclassified information
within a federal agency without a separate FIPS 140-2 validation of the
larger module.
> The government will still buy your "encryption devices" (FIPS-140
> certified)
That will greatly depend on the sophistication of the agency concerned.
The US Forest Service (for example) may not have the level understanding
of the FIPS 140-2 standard that the US Navy has.
Josh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list