RE: FIPS-140 required?
Dan Wing <dwing <at> cisco.com>
2007-02-05 22:09:23 GMT
Dan York wrote:
> Yes, we are occasionally seeing RFPs that state a FIPS-140
> requirement for any encryption, including that of SRTP. They
> are typically from government or occasionally financial institutions.
> (with my guy who works at Mitel hat)
> I am assuming this is probably true, but I want to just state
> it so that it's out in the open - I'm not entirely sure why
> you are asking, Dan,
Here is the approximate text that I am considering to add to
The United States Government can only purchase and use crypto
implementations that have been validated by the FIPS-140 [FIPS-140-2]
"This standard [FIPS-140] is applicable to all Federal agencies
that use cryptographic-based security systems to protect sensitive
information in computer and telecommunication systems (including
voice systems) ... The adoption and use of this standard is
available to private and commercial organizations."[cryptval]
Some commercial organizations, such as banks and defense contractors,
also require or prefer equipment which has validated by the FIPS-140
and a new requirement:
A solution SHOULD use algorithms that allow FIPS 140-2
> but I would certainly NOT want to see
> any changes to SRTP RFCs or other documents that made
> FIPS-140 certification either a requirement or a default for
> SRTP. I would like to see (and believe you do too) SRTP
> adopted widely and would not want to set up barriers that
> might get in the way of a startup or other companies
> implementing SRTP (or using it as an excuse for why they can
> NOT implement SRTP). There's also the wee little detail that
> FIPS is only a US government standard (although various other
> countries do follow it).
Yes, FIPS-140 is a US Government standard, but I don't
understand the concern. For example, FIPS-140, today, allows
a module that implements IPsec to pass FIPS certification; this
does not mean IPsec is somehow evil or has weak security.
> Again, I'm assuming you are not doing this, but with such a
> cryptic question, I thought I'd just state that to be clear.
Ok, so you want to build equipment that can be FIPS compliant
and you want to build different equipment that was cannot be
FIPS compliant? It'd be a mistake to choose an Internet
key exchange mechanism that, for example, did something that
made it impossible to pass FIPS certification.
> (with my guy who works with VOIPSA and wants to help
> encourage better VoIP security throughout the industry hat)
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp. http://www.mitel.com
> dan_york <at> mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
> Cullen Jennings <fluffy <at> cisco.com>
> Sent by: owner-ietf-rtpsec <at> mail.imc.org
> 02/04/2007 11:36 AM
> To: Dan Wing <dwing <at> cisco.com>
> cc: <ietf-rtpsec <at> imc.org>
> Subject: Re: FIPS-140 required?
> On Jan 26, 2007, at 2:54 PM, Dan Wing wrote:
> > Is anyone seeing a requirement for FIPS-140 for products that
> > implement
> > SRTP?
> (with my guy who works at cisco hat