[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: FIPS-140 required?
I would point out that FIPS 140-2 is targeting the
"cryptographic modules" rather than "cryptographic algorithms". Given the
context of the standard, the former is more on the implementation and system
side, while the latter is more on the abstract side allowing for various
implementations: "The security requirements cover areas related
to the secure design and implementation of a cryptographic module". As a
matter of fact the word "algorithm" is not used in this standard at all (except
for the Glossary section).
Consequently, the following statement may be more accurate
to use and may have less limiting connotation for the SRTP:
"A solution using the algorithms SHOULD allow for the FIPS
140-2 certification".
Regards,
Eugene Nechamkin,
Broadcom Corp.
Dan,
Thanks for the reply. You've addressed my issue
with this:
> A solution SHOULD use
algorithms that allow FIPS 140-2
> certification.
My point was that I didn't want to see a
MUST in there. I didn't want to see the FIPS requirement used as an excuse
by any company as to why they could NOT use SRTP. (i.e. "We haven't
implemented it because the work required to have a FIPS-compliant algorithm is
too much.")
However, I also further
understand that you are working on the requirements for the keying algorithm and
I do agree... any keying algorithm used for SRTP *should* allow for the
potential of FIPS 140-2 certification should the vendor/manufacturer wish to
pursue that for their implementation of SRTP.
Thanks,
Dan
--
Dan York, CISSP
Dir of IP Technology, Office of the
CTO
Mitel Corp. http://www.mitel.com
dan_york@xxxxxxxxx
+1-613-592-2122
PGP key (F7E3C3B4) available for
secure
communication