[Mono-dev] FIPS 140 cryptography

Miguel de Icaza miguel at novell.com
Thu Oct 11 12:43:34 EDT 2007 

Hello,

   I have updated our FAQ with the details from this discussion.   I
encourage folks to maintain our FAQs updated when we come across
information like this:

	http://www.mono-project.com/FAQ:_Security#FIPS_Certification

   Feel free to correct or fix it.

> Hello Vladimir,
> 
> On Thu, 2007-10-11 at 11:04 -0400, Vladimir Giszpenc wrote:
> > Sebastien,
> > 
> > > No. The short story is that "it's a big, long and costly project" and
> > > that there's been, so far, not many demand for it (wrt to other Mono
> > > features).
> > 
> > I agree that there are more pressing needs, but it never hurts to voice
> > your
> > own so they are recognized.  
> 
> Well I can't agree more with that ;-) If no one had asked before today
> we wouldn't even have considered it.
> 
> > I am a big Mono proponent, but it is
> > difficult
> > to compete with Java on maturity of tools.  
> > 
> > > While it's less elegant (imho) you can still use FIPS140 certified
> > > crypto in Mono by wrapping an existing toolkit (e.g. nss) in C# [1]
> > and
> > > using this as a replacement [2] for Mono's crypto (split in both
> > > Mono.Security and mscorlib).
> > 
> > The Java community has JSS.  Would asking for a MonoSS be asking too
> > much?
> 
> It depends from who you're asking ;-)
> 
> Network Security Services for Java (JSS) is provided by Mozilla. So yes
> Mozilla *could* do something like this (not Mono-specific but for
> all .NET users) just like they provide the API for Java.
> 
> However I don't think this (NSS) should ever become a direct(*) Mono
> goal(**). Mono itself has already too many things to complete to afford
> a duplicate effort (since we already offer the same features).
> 
> (*) Someone in the Mono (or .NET) community may be interested in
> producing this. This is a reason (help alternatives) why Crimson
> (http://www.mono-project.com/Crimson) was started last year. Sadly it
> would seems that my offer to help people (rather than doing it myself)
> was quite enough to produce much code ;-)
> 
> (**) certifying our own code for FIPS-140 is another story :)
> 
> > That seems like a big project as well.  This is not even what I am
> > really
> > looking for.  I need SSH.  I found the capability in SharpSSH, but in
> > order
> > for me to make certification labs happy, I need the encryption used in
> > my
> > SSH implementation to be FIPS 140 compliant.
> 
> Well as long as SharpSSH doesn't provide it's own crypto (totally or
> partially) it doesn't have to be certified. Which brings you back to
> finding certified cryptographic implementations (like NSS) available
> thru Mono.
> 
> > > [1] which is exactly what MS is doing on Windows: the FIPS140 crypto
> > > comes from CryptoAPI (managed stuff isn't certified) and wrapped in
> > the
> > > class library.
> > > 
> > > [2] it's possible to remap cryptographic algorithms using
> > machine.config
> > > (so all mono tools and *correctly* written applications/libraries will
> > > be using your own crypto).
> > 
> > That is nice for Windows, but I am targeting Linux.  I would love to
> > point
> > some config file at NSS.  Is there any chance such a thing will happen?
> 
> Well the config remapping stuff already works on Mono/Linux, so it's a
> matter of finding alternates cryptographic implementation that match
> your need (fips140 certified). Mono itself is ready to use it ;-)
> 
> > I am a little peon doing R&D hoping to move the Army toward accepting
> > Mono.
> > Any help you can give me would be much appreciated!
> 
> Besides NSS there are other FIPS140 certified libraries that could be
> wrapped to give the same end result. However I don't know any available
> on Linux that have .NET binding.
> 
> > 
> > Many Thanks,
> > 
> > Vladimir Giszpenc
> > DSCI Contractor Supporting
> > US Army CERDEC S&TCD IAD Tactical Network Protection Branch
> > (732) 532-8959
> > _______________________________________________
> > Mono-devel-list mailing list
> > Mono-devel-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-devel-list
> 
> _______________________________________________
> Mono-devel-list mailing list
> Mono-devel-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-devel-list

More information about the Mono-devel-list mailing list