Forwarded From: Gary Porter <grporter@nps.navy.mil>
Tuesday September 1 12:43 PM EDT
Microsoft says NT to support government encryption
By Kristen Philipkoski
SAN FRANCISCO (Wired) - Microsoft announced Monday that it will add
support in its Windows NT products for a US government encryption protocol
used to scramble sensitive, but nonclassified, communications.
The Fortezza protocol was recently declassified, opening the door for
third-party developers like Microsoft to use it in commercial software
products.
But before Microsoft Corp (MSFT - news) can sell its Fortezza-encrypted
Windows NT products to government agencies, it must pass a test
implemented by the National Institute of Standards Technology (NIST)
called the Federal Information Processing Standard (FIPS). The FIPS 140-1
test describes the government's requirements for hardware and software
products using encryption.
If NT passes muster, Microsoft plans to supply products for several US
Department of Defense initiatives, including messaging systems and network
security frameworks.
Does that mean it will boost security in government-run computer networks?
``It will make security a little bit easier,'' said Bruce Schneier, author
of Applied Cryptography and president of Counterpane Systems. ``Now it
will get wider use. It's a lot better than no Fortezza. There's nothing
less secure than a product that isn't used.''
The algorithms for Fortezza and other government encryption protocols were
classified until June 23 when the National Security Agency (NSA) released
the codes for use in commercial software. Some observers think the
government's crypto protocols shouldn't have been released at all.
David Banisar, policy director at the Electronic Privacy Information
Center said the Fortezza standard is ``slow, dumb, and it doesn't do a
very good job.... Five years ago, they announced the Fortezza card and the
clipper chip and said 'No, we can't give you that because it will threaten
the national security.' The thing went nowhere, they shut down the
security lines. They realized no one wants to use this garbage.''
In supporting the standard, Microsoft will be able to secure more
government contracts for its products-and get a marketing tool for Windows
NT, to boot. ``It gives us an evaluation and gives customers confidence,''
said Karan Khanna, lead product manager for Windows NT security.
NIST representatives said the FIPS test is not meant as an endorsement of
a vendors' product but is merely a verification that it meets government
requirements.
``We have three accredited testing labs,'' explained Jim Foti, a member of
the technical staff of the computer security division at NIST. ``(They
will) provide us with a final testing report, then we'll issue a
validation standard certificate. It's not endorsement; it's validation
that the requirements have been met.''
Schneier was quick to add that the Fortezza crypto is only one component
of a network's security framework.
``This has nothing to do with NT security per se,'' Schneier said. ``It's
like adding secure telephones to your home-it has to do with the security
of your communication, not the security of your house. It won't affect
other security holes.''
Spyrus, the main vendor of Fortezza products, is working with Microsoft on
its CryptoAPI programming interfaces to ensure FIPS compliance. CygnaCom
Solutions will test the Microsoft products for FIPS certification.
Microsoft's Exchange and Outlook client software currently support
Fortezza. Eventually, the company plans to add it to Internet Information
Services and Internet Explorer 5.
Microsoft's expects the cryptographic module to pass the FIPS 140-1 test
and be available for the Windows NT Server version 4.0 and Workstation 4.0
by the end of the year. The company also expects that the FIPS-approved
software will ship as a core component of the system's version 5.0.
(Reuters/Wired)
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Thu Sep 3 09:45:27 1998