Microsoft .NET PRNG (fwd)
Ed Reed
ereed at novell.com
Mon Aug 16 15:20:25 EDT 2004
Been there, done that...
http://csrc.nist.gov/cryptval/140-1/1401val2001.htm#138
Win95 & Win98 are pretty programs running on DOS.
I've generally taken FIPS 140-1 level 1 to be about whether you got the
software right, not whether it protects secrets. Level 2 only relies on
TCSEC or Common Criteria operating system profiles having DAC (not
requiring MAC) and tamper evidence (sticky tape on the cage door or
such).
FIPS 140 is a crypto quality metric, it seems. Not crypto security.
Right?
That said, if you had a FIPS 140 crypto package running on DOS box that
meets all the Level 3 or Level 4 requirements for tamper resistance, (is
Tempest required to suppress EMI?), etc. then that would be "fun", at
least. But the crypto itself wouldn't be all that different, would it?
Ed
>>>Peter Gutmann <pgut001 at cs.auckland.ac.nz> 08/16/04 1:10 am >>>
"Anton Stiglic" <astiglic at okiok.com> writes:
>There is some detail in the FIPS 140 security policy of Microsoft's
>cryptographic provider, for Windows XP and Windows 2000.
As I've said in a previous post, the best documentation for the RNG is
in
"Writing Secure Code (2nd ed)". The main purpose of the CryptoAPI FIPS
140
documentation is to document an active penetration attack on the FIPS
140
certification process (I could get an 8086 MSDOS machine FIPS 140
certified
[0] using their methodology).
Peter.
[0] If anyone would like to fund, please get in touch :-).
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list