Check out this blog post at Tenable Security. Marcus always has interesting things to say. There’s some talk about assurance, where Marcus essentially says that assurance shouldn’t be an afterthought.

I agree. True assurance should be baked in to the design of a product or system. Unfortunately that rarely happens with some of the government assurance programs such as FIPS 140 or Common Criteria. I’ve leveraged the requirements and processes of these programs during product design (both during my tenure at Cisco and at Apex). From my experience, considering these requirements at product design provides a much more positive impact on design / development and smoother execution of documentation evaluation / product testing when conforming to FIPS 140 or CC. It’s ideal, but obviously not necessary.

We’ve hit the first anniversary of the Apex Assurance Blog. There are over 100 posts, and while sometimes a headache, it is a lot of fun to maintain this. Thank you to those to read the blog, offer comments, and send me informal questions/comments off-line.

We’ll keep it going in 2007.

Some of our customers have asked us to provide an analysis on the new testing of the RSA algorithm for FIPS 140-2 validations. Without going to too much depth (to respect their contracts and interests), I thought I would summarize that analysis here.

Basically, NIST CMVP requires testing against a vulnerability discovered in RSA a few months ago that allows attackers to forge a PKCS-1 signature. Vendors face the following implementation policies (from the NIST CMVP website):

1. For any algorithm validation request where a lab has used a previous version of CAVS to create files and has already sent the sample and request files to the vendor, NIST will accept validations using this tool up through December 31, 2006.
2. If there are any validation requests where a lab has used a previous version of CAVS to create files and has not yet sent the appropriate files to the vendor, please regenerate everything using CAVS5.2.
3. It is strongly advised that any CMVP cryptographic module in the pre-validation phase re-test the RSA implementations with the new version of CAVS.
4. After December 31, 2006, all new received test reports to the CMVP pre-validation queue must use the CAVS5.2 to validate RSA.

A colleague sent me a note inquiring about the applicability regarding OpenSSL. If you’re running OpenSSL, you can

1. download versions version 0.9.7k or later or version 0.9.8c or later
2. apply this patch

We recently ran algorithm testing for a customer running OpenSSL and passed with no issues. Then again, since they meet the criteria above, we expected them to.

The best bet here is to have your implementation validated with CAVS5.2 to be sure this vulnerability is addressed. It may not be easy, but it beats having your customer fault you if this vulnerability is exploited in their environment. Here is a rare example of being able to use assurance as intended!

On my way back to the office from a meeting today, I decided to stop at a drug store* to get a drink and a snack. It’s a brand new building, and you’ll see why that’s important in a minute. I find a spot in the crowded parking lot and head towards the door, which to my surprise, doesn’t open automatically. “Eh, whatever, I’ll just slide it open.”

The place is a little messier than I expect from a brand new establishment, but whatever. I’m not one to judge. I walk to the back, grab a soda, walk around to the front, grab a snack, and then head for a cash register. Which I can’t find. Now, this is just silly. Maybe they’ve replaced traditional registers with some revolutionary payment system. I keep poking around… nothing. Then it hits me… the place isn’t even open for business yet!

Then I really take a look around… the place is bustling with people, all of whom are working! And it has to be obvious by my appearance that I’m not there to work. But here’s the other funny thing- no one says anything to me. I could have walked right out with my snack loot. Or I could have loaded up a box full of goodies. I bet I could have found a pallette somewhere and really made a score! Of course, I didn’t.

On a serious note, what kind of physical security is this? Maybe I didn’t look suspcious, but I would have thought they’d notice me as a potential threat. It’s funny, because this situation parallels some issues discovered in some of my management consulting engagements:

1. There are those who know about security and act (or most commonly react) to counter potential threats
2. There are those who don’t know about security, and frankly it just isn’t their job
3. And finally, there are those who just don’t care

I’m betting the drug store was filled with folks in category 2… but why? Shouldn’t someone watch over that 6 or 7 figure inventory? And how many organizations out there follow this model? Too many, I bet.

* In Research Triangle Park, we don’t have 7-11s… but we do have drug stores (e.g., Walgreens, CVS, Eckerd, etc.) on seemingly every street corner