[Mono-dev] FIPS 140 cryptography

Sebastien Pouliot sebastien.pouliot at gmail.com
Fri Oct 17 09:56:21 EDT 2008 

Hello Vladimir,

On Fri, 2008-10-17 at 08:45 -0400, Vladimir Giszpenc wrote:
> > > The Java community has JSS.  Would asking for a MonoSS be asking too
> > > much?
> > 
> > It depends from who you're asking ;-)
> 
> Think of me as an ISV that wants to produce applications for the US
> government.  The entire federal government including DoD is mandated to
> use FIPS compliant crypto libraries.  
> > 
> > Network Security Services for Java (JSS) is provided by Mozilla. So
> yes
> > Mozilla *could* do something like this (not Mono-specific but for
> > all .NET users) just like they provide the API for Java.
> 
> OK.  Today the picture is a little different.  Red Hat produced Python
> bindings https://fedoraproject.org/wiki/Features/PythonNSS .  These will
> be in fedora 10.  And someone is producing Perl bindings
> http://search.cpan.org/~claesjac/Crypt-NSS-0.03/lib/Crypt/NSS.pm

I think it's great news. 

Note that both previous examples shows where the *community*, not the
core project, came up with extra libraries to enhance their beloved
language.

> Making Mono and SuSE second class citizens in this realm.

I can understand your point (on that very precise realm) about Mono but
why SuSE ?

Are they not providing PythonNSS or Perl's NSS like other distros ?
because I'm pretty sure no other distro offers NSS bindings for mono ;-)

> > However I don't think this (NSS) should ever become a direct(*) Mono
> > goal(**). Mono itself has already too many things to complete to
> afford
> > a duplicate effort (since we already offer the same features).

I still did not change my mind from above. This is still a "one request
per year" issue where most of the stuff in Mono roadmap is being
anticipated but much larger crowd.

> I am going to show my inexperience so please don't get upset when you
> tell me it is not so simple.  Is there not a way to automatically
> generate a bunch of C# stubs based on the C headers?

<not-upset>
I'm not a big fan of bindings as I like my world managed as much as
possible ;-). Other people should be able to answer this more precisely.

My *guess* is that, like everything Mozilla-related (e.g. moonlight
plugin, reusable web browser component), it's not as easy as it looks.

Then you must go on to make this play happily with the .NET crypto
(since to be FIPS140 you need to ensure no other crypto is being used
internally), packaging (across all different distro, versions of
NSS...).

So it's nothing impossible and it's not harder (nor easier) than it was
last time the question was raised.
</not-upset>

> > Besides NSS there are other FIPS140 certified libraries that could be
> > wrapped to give the same end result. However I don't know any
> available
> > on Linux that have .NET binding.
> 
> If you are thinking of OpenSSL it is not as attractive (neither as
> current nor Level 2 certified) as NSS.  If you are thinking of CryptoAPI
> it is a Windows only technology.  I like NSS because it is cross
> platform (on top of NSPR) and certified to the teeth.

I did not list them on purpose because there are several certified
products - a bunch of them I have never seen personally. It's not clear
if you're looking for an open source product or not since you listed
CryptoAPI which is supported by Mono (Mono.Security.Win32) but, as you
said, limited to win32 operating systems.

If you want something open source there are not so many choice. Beside
the one mentioned above there is (at least) another one: Crypto++ [1],
but its C++ based, so it would be a bit harder (but not impossible) to
create .net bindings.

[1] http://www.cryptopp.com/

> Btw, will Crimson come out of hibernation?

Good question :)

Long answer:

        Crimson was created because a few people wanted to make changes
        in Mono's crypto code that caused a lot of problems (export
        paperwork not the least of them). 
        
        Since many of those people wanted/needed my help I offered
        Crimson as a way to express their imagination without the limits
        of what mono/mcs requires. This is made somewhat easy because of
        the built-in extensibility model used by .NET cryptography.
        
        The Crimson inactivity since then shows that (many) people talk
        a bit more than they code ;-) but don't worry I don't take any
        offense in that :-)
        
Short answer: whenever people are interested in experimenting crypto
stuff. I will be happy to help/guide them!


Finally if you want to use Crimson as a test bed for NSS bindings I
would be happy to help you (and anyone else) work around any major issue
you face (in my free time).

Sebastien

More information about the Mono-devel-list mailing list