[Mono-dev] FIPS 140 cryptography

Sebastien Pouliot sebastien.pouliot at gmail.com
Thu Oct 11 12:03:59 EDT 2007 

Hello Vladimir,

On Thu, 2007-10-11 at 11:04 -0400, Vladimir Giszpenc wrote:
> Sebastien,
> 
> > No. The short story is that "it's a big, long and costly project" and
> > that there's been, so far, not many demand for it (wrt to other Mono
> > features).
> 
> I agree that there are more pressing needs, but it never hurts to voice
> your
> own so they are recognized.  

Well I can't agree more with that ;-) If no one had asked before today
we wouldn't even have considered it.

> I am a big Mono proponent, but it is
> difficult
> to compete with Java on maturity of tools.  
> 
> > While it's less elegant (imho) you can still use FIPS140 certified
> > crypto in Mono by wrapping an existing toolkit (e.g. nss) in C# [1]
> and
> > using this as a replacement [2] for Mono's crypto (split in both
> > Mono.Security and mscorlib).
> 
> The Java community has JSS.  Would asking for a MonoSS be asking too
> much?

It depends from who you're asking ;-)

Network Security Services for Java (JSS) is provided by Mozilla. So yes
Mozilla *could* do something like this (not Mono-specific but for
all .NET users) just like they provide the API for Java.

However I don't think this (NSS) should ever become a direct(*) Mono
goal(**). Mono itself has already too many things to complete to afford
a duplicate effort (since we already offer the same features).

(*) Someone in the Mono (or .NET) community may be interested in
producing this. This is a reason (help alternatives) why Crimson
(http://www.mono-project.com/Crimson) was started last year. Sadly it
would seems that my offer to help people (rather than doing it myself)
was quite enough to produce much code ;-)

(**) certifying our own code for FIPS-140 is another story :)

> That seems like a big project as well.  This is not even what I am
> really
> looking for.  I need SSH.  I found the capability in SharpSSH, but in
> order
> for me to make certification labs happy, I need the encryption used in
> my
> SSH implementation to be FIPS 140 compliant.

Well as long as SharpSSH doesn't provide it's own crypto (totally or
partially) it doesn't have to be certified. Which brings you back to
finding certified cryptographic implementations (like NSS) available
thru Mono.

> > [1] which is exactly what MS is doing on Windows: the FIPS140 crypto
> > comes from CryptoAPI (managed stuff isn't certified) and wrapped in
> the
> > class library.
> > 
> > [2] it's possible to remap cryptographic algorithms using
> machine.config
> > (so all mono tools and *correctly* written applications/libraries will
> > be using your own crypto).
> 
> That is nice for Windows, but I am targeting Linux.  I would love to
> point
> some config file at NSS.  Is there any chance such a thing will happen?

Well the config remapping stuff already works on Mono/Linux, so it's a
matter of finding alternates cryptographic implementation that match
your need (fips140 certified). Mono itself is ready to use it ;-)

> I am a little peon doing R&D hoping to move the Army toward accepting
> Mono.
> Any help you can give me would be much appreciated!

Besides NSS there are other FIPS140 certified libraries that could be
wrapped to give the same end result. However I don't know any available
on Linux that have .NET binding.

> 
> Many Thanks,
> 
> Vladimir Giszpenc
> DSCI Contractor Supporting
> US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> (732) 532-8959
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list