Forwarded From: Nelson Murilo <nelson@pangeia.com.br>
[http://www.wired.com/news/news/technology/story/14757.html]
Microsoft Tries Government Crypto
by Kristen Philipkoski
4:00am 1.Sep.98.PDT
Microsoft announced Monday that it will add support in its Windows NT
products for a US government encryption protocol used to scramble
sensitive, but nonclassified, communications. The Fortezza protocol was
recently declassified, opening the door for third-party developers like
Microsoft to use it in commercial software products.
But before Microsoft can sell its Fortezza-encrypted Windows NT products
to government agencies, it must pass a test implemented by the National
Institute of Standards Technology (NIST) called the Federal Information
Processing Standard (FIPS). The FIPS 140-1 test describes the government's
requirements for hardware and software products using encryption.
If NT passes muster, Microsoft (MSFT) plans to supply products for several
US Department of Defense initiatives, including messaging systems and
network security frameworks.
Does that mean it will boost security in government-run computer networks?
"It will make security a little bit easier," said Bruce Schneier, author
of Applied Cryptography and president of Counterpane Systems. "Now it
will get wider use. Its a lot better than no Fortezza. Theres nothing less
secure than a product that isnt used."
The algorithms for Fortezza and other government encryption protocols were
classified until 23 June when the National Security Agency (NSA) released
the codes for use in commercial software. Some observers think the
government's crypto protocols shouldn't have been released at all.
David Banisar, policy director at the Electronic Privacy Information
Center said the Fortezza standard is "slow, dumb, and it doesnt do a very
good job.... Five years ago, they announced the Fortezza card and the
clipper chip and said 'No, we cant give you that because it will threaten
the national security.' The thing went nowhere, they shut down the
security lines. They realized no one wants to use this garbage."
In supporting the standard, Microsoft will be able to secure more
government contracts for its products -- and get a marketing tool for
Windows NT, to boot. "It gives us an evaluation and gives customers
confidence," said Karan Khanna, lead product manager for Windows NT
security.
NIST representatives said the FIPS test is not meant as an endorsement of
a vendors' product but is merely a verification that it meets government
requirements.
"We have three accredited testing labs," explained Jim Foti, a member of
the technical staff of the computer security division at NIST. "(They
will) provide us with a final testing report, then well issue a validation
standard certificate. Its not endorsement; its validation that the
requirements have been met."
Schneier was quick to add that the Fortezza crypto is only one component
of a network's security framework.
"This has nothing to do with NT security per se," Schneier said. "Its like
adding secure telephones to your home -- it has to do with the security of
your communication, not the security of your house. It wont affect other
security holes."
Spyrus, the main vendor of Fortezza products, is working with Microsoft on
its CryptoAPI programming interfaces to ensure FIPS compliance. CygnaCom
Solutions will test the Microsoft products for FIPS certification.
Microsofts Exchange and Outlook client software currently support
Fortezza. Eventually, the company plans to add it to Internet Information
Services and Internet Explorer 5.
Microsoft's expects the cryptographic module to pass the FIPS 140-1 test
and be available for the Windows NT Server version 4.0 and Workstation 4.0
by the end of the year. The company also expects that the FIPS-approved
software will ship as a core component of the system's version 5.0.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Sep 1 22:28:15 1998