[Fwd] NIST-certified USB Flash drives with hardware encryption cracked

[Peter Gutmann]

Geoffrey Hird <geoffrey at arcot.com> writes:

>I read yesterday (I think on the NIST web site) that a major FIPS 140 test
>lab reported that something like 50% or 60% (sorry I can't find the story) of
>the modules it received for testing had bugs in them.

It's not "have bugs", it's "failed to meet the silly-walk requirements set by
that lab".  The labs will always find at least one thing to nitpick (and
preferably several, even if it's just the punctuation in your paperwork [0]),
no matter how perfect your code, because to not do so would imply that they're
not doing their job.  In addition since the silly-walk changes arbitrarily
from one lab to another, the "bugs" found will be different for each lab.  If
you really don't want to make some required change (for example because it'd
mean re- architecting your entire product) then the easiest solution is to
jury-shop labs until you find one that waves you through.

>But I have argued that FIPS 140 in general is worthwhile,

As was recently pointed out on another list, it's very worthwhile from a
marketing perspective.  Doesn't guarantee much about security, but provides a
guarantee of sales to government agencies.  This is why the certification
costs for a company's product will often be taken from the marketing budget
rather than the engineering budget.

Peter.

[0] This actually happened in one eval when they were really struggling to
    find anything to complain about.