[FDE] FIPS 140-2: When operated in FIPS mode? (Flagstone, Spyrus, Utimaco, Poinsect, MobileArmor)

Ali, Saqib docbook.xml at gmail.com
Fri May 2 11:43:43 MDT 2008 

Eric,

Thanks for the clarification.

Elsewhere, I learned that a encryption production (hardware or
software) is restricted to single-user mode when operating in FIPS
mode. That is, there can be only ONE user account that can perform the
decryption. Administrative / Helpdesk or other recovery accounts are
not possible in FIPS mode. Is this correct?

Thanks

On Thu, May 1, 2008 at 1:47 PM,  <eric.lengvenis at wellsfargo.com> wrote:
> Just because they use FIPS approved or validated algorithms doesn't mean
>  they are FIPS validated modules. There is much more than just correctly
>  implementing the algorithm to FIPS mode. Some that come to mind are
>  zeroizing the key store if a tamper is suspected, or if account lock-out
>  numbers are reached, etc. Depending on the level of validation physical
>  keys (dongles, USB, smart cards) are needed to enable the device.
>
>  Most encryption products have the option of running in FIPS mode or
>  non-FIPS mode. Generally FIPS modes are far more restrictive and slower
>  than necessary for typical non-classified usage. But, if you are storing
>  the root of your PKI on the disk, it would probably be considered a best
>  practice.
>
>  Eric Lengvenis
>  Security Architecture
>
>  This message may contain confidential and/or privileged information. If
>  you are not the addressee or authorized to receive this for the
>  addressee, you must not use, copy, disclose, or take any action based on
>  this message or any information herein. If you have received this
>  message in error, please advise the sender immediately by reply e-mail
>  and delete this message. Thank you for your cooperation.
>
>
>
>  -----Original Message-----
>  From: fde-bounces at www.xml-dev.com [mailto:fde-bounces at www.xml-dev.com]
>  On Behalf Of Ali, Saqib
>  Sent: Thursday, May 01, 2008 2:55 PM
>  To: fde
>  Subject: [FDE] FIPS 140-2: When operated in FIPS mode? (Flagstone,
>  Spyrus,Utimaco, Poinsect, MobileArmor)
>
>  I was looking at the FIPS 140-2 Certificate[1] for the Stonewood's
>  Flagstone product, and it has a clause that says "(When operated in
>  FIPS mode)". What does this clause mean?
>
>  I was under the impression that since Flagstone only implement FIPS
>  validated encryption algorithms (128-bit AES CBC/ECB and ANSI X9.31
>  AES 128 bit RNG) there would no non-FIPS mode.
>
>  I later found out that, Spyrus, Utimaco, Poinsect, MobileArmor have
>  the same clause.
>
>
>  1.
>  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt779.pd
>  f
>  _______________________________________________
>  FDE mailing list
>  FDE at www.xml-dev.com
>  http://www.xml-dev.com/mailman/listinfo/fde
>
>
>  _______________________________________________
>  FDE mailing list
>  FDE at www.xml-dev.com
>  http://www.xml-dev.com/mailman/listinfo/fde
>



-- 
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

More information about the FDE mailing list