Hello everyone! I work for a company that uses OpenSSH to remotely support systems we've sold. Since some of our clients are US Dept. of Defense hospitals, our access to these servers needs to comply with a whole range of requirements and standards. At this point it's looking like the SSH daemon needs to be FIPS 140-2 compliant, and the only package that is certified is F-Secure. The other option is for CliniComp to sponser getting OpenSSH through the certification process, and that's what I'm exploring. I'd really appreciate knowing what the core developers think about this, and how willing they would be to assisting in the process. I know there will need to be a fair amount of documentation, and there is no subsitute for first-hand knowledge. Also, it seems pretty clear that at least some code changes will be needed including self-tests, a new prng, and work in the key generation & validation modules. While we (CliniComp) do have some resources including technical writers and programmers, we certainly do not have the expertise in cryptography to just do it all ourselves. And if this does happen, part of the point would be for the necessary changes to be rolled back into the standard package. Please understand that right now I'm just exploring possibilities, but the other option for us is to spend a lot of money on F-Secure licenses. I would very much appreciate hearing your thoughts and from anyone else interested in making this happen. Thanks, --Nathan
On Fri, 27 Sep 2002, Nathan Bardsley wrote:> Hello everyone! > > I work for a company that uses OpenSSH to remotely support systems we've > sold. Since some of our clients are US Dept. of Defense hospitals, our > access to these servers needs to comply with a whole range of > requirements and standards. At this point it's looking like the SSH > daemon needs to be FIPS 140-2 compliant, and the only package that is > certified is F-Secure. >Where are theses 'DIPS 140-2' requirements? If they are anything like the other military requirements they are impratical and insane (yes I've had some time in the area. Not my idea of fun =).> The other option is for CliniComp to sponser getting OpenSSH through the > certification process, and that's what I'm exploring. > > I'd really appreciate knowing what the core developers think about this, > and how willing they would be to assisting in the process. I know there > will need to be a fair amount of documentation, and there is no > subsitute for first-hand knowledge. Also, it seems pretty clear that at > least some code changes will be needed including self-tests, a new prng, > and work in the key generation & validation modules. >We have a regess/ section in the current tree. What is the issue with prng? You really should be using kernel level devices. prngd and built-in prng should be a last resort. Besides, I bet our prng could easily get certified by NIST. It is a more sane implementation than some of the NIST certified stuff at my work.=) - Ben
> I'm surprised that you are using IRIX. I would not have thought IRIX > would have gotten FIPS rating. AIX or Solaris Trusted would not have > surprised me. Guess I'll have to have a chat with a buddy > over there. =)See http://niap.nist.gov/cc-scheme/CCEVS-CC-VID401-SGI_IRIX.html for details. (disclaimer: I work for SAIC and was involved in preparing the evidence for this evaluation. TRIX was evaluated at the same time.) I'd be very interested in following up on FIPS 140 [series] certification of OpenSSL/OpenSSH as well, but as others have noted it might be a difficult process even with a financial sponsor. -- Rip Loomis Senior Systems Security Engineer SAIC Secure Business Solutions Group www.saic.com/securebiz Center for Information Security Technology www.cist-east.saic.com