Forwarded From: Phillip Renouf <phillipr@sobeys.ca>
Originally From: Jason Garms <jasong@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
To clarify: Microsoft absolutely did NOT fail the FIPS 140-1 testing. The
DSS CSP (the module being tested) has not been undergone final testing, so
it is not possible that it failed.
Some additional Q&As below with more information if you're interested.
Thanks,
-jasong
Jason Garms
Product Manager
Windows NT Security
Microsoft Corporation
JasonG@Microsoft.Com
Q: Did Microsoft Windows NT 4.0 (or other components) recently fail any FIPS
140-1 cryptography tests?
A: No. Microsoft absolutely did NOT fail the FIPS 140-1 testing. The FIPS
140-1 evaluation process evaluates cryptographic modules, not operating
systems. The component that Microsoft has submitted for evaluation is the
Microsoft Enhanced DSS/Diffie-Hellman Cryptographic Provider (CSP). The DSS
CSP (the module being tested) has not been undergone final testing, so it is
not possible that it failed.
Microsoft recently received algorithm validation certificates for the
multiple algorithms implemented in the Microsoft Enhanced DSS/Diffie-Hellman
Cryptographic Provider (CSP). This is a critical prerequisite for final FIPS
140-1 validation of the complete cryptomodule. Specifically, Microsoft has
received validation certificates for the following algorithms as implemented
in the DSS CSP:
- DSA/SHA-1 according to FIPS 186-1 and FIPS 180-1. See
http://csrc.nist.gov/cryptval/dss/dsaval.htm, item 17.
- DES according to FIPS 46-2 and FIPS 81. See
http://csrc.nist.gov/cryptval/des/desval.htm, item 45.
Q: Did Microsoft's FIPS 140-1 testing lab find any security weaknesses in
Microsoft Windows NT 4.0?
A: No. The testing lab was never contracted to examine the security of the
Microsoft Windows NT 4.0 operating system or the Microsoft CryptoAPI.
Rather, the testing lab was hired specifically to test the Microsoft
Enhanced DSS/Diffie-Hellman Cryptographic Provider, a.k.a DSSENH.DLL,
against the FIPS 140-1 standard. While accredited CMVP testing laboratories
do make design and implementation recommendations back to the vendor to
maximize the probability that a cryptomodule will achieve FIPS 140-1
validation, no redesign or changes in the core Windows NT product was
required.
Q: Will installation of the Microsoft FIPS 140-1 cryptomodule interfere with
the operation of Internet Explorer 4.0, Outlook 98, or any other
applications?
A: No. The FIPS 140-1 validated Microsoft Enhanced DSS/Diffie-Hellman
Cryptographic Provider, a.k.a DSSENH.DLL, is a new cryptomodule that is
being added to the arsenal of cryptomodules (a.k.a. cryptographic providers)
already installed in Microsoft Windows 4.0 and does not replace and/or patch
any existing cryptographic providers. Existing applications that have not
been written to specifically take advantage of the DSS/Diffie-Hellman cipher
suite will not be affected by installation of the Microsoft FIPS 140-1
cryptomodule in any way. While applications such as Internet Explorer 4.0
and Outlook 98 will not take advantage of the new Microsoft FIPS 140-1
cryptomodule, they will continue to work unaffected by the new cryptomodule
by using the cryptographic providers preinstalled with Windows NT 4.0 and
Internet Explorer 4.0. Updated products and features will take advantage of
the FIPS cryptomodule. For example, Internet Explorer 5.0 can operate in a
FIPS-compliant mode by using this cryptomodule.
Q: How will the final FIPS 140-1 approved cryptomodule be shipped?
A: It is not clear at this time what the shipping vehicle for a Windows NT
4.0 version of this CSP will be. As soon as the module completes evaluation,
the shipping vehicle will be determined.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Thu Mar 11 17:04:58 1999