From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YcMLBULFqLXm for ; Thu, 20 Oct 2011 13:02:01 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 20 Oct 2011 13:02:01 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-163-71.dclient.hispeed.ch [84.74.163.71]) by v4.tansi.org (Postfix) with ESMTPA id 223A21404001 for ; Thu, 20 Oct 2011 13:02:01 +0200 (CEST) Date: Thu, 20 Oct 2011 13:02:00 +0200 From: Arno Wagner Message-ID: <20111020110200.GA28385@tansi.org> References: <447BD5696AE910409E86411D8A0DEE73036632@NDHEP50002.na.corp.mckesson.com> <20111020081835.GA26340@tansi.org> <4E9FDF4A.9080402@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E9FDF4A.9080402@redhat.com> Subject: Re: [dm-crypt] Question regarding LUKS List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Thu, Oct 20, 2011 at 10:43:54AM +0200, Milan Broz wrote: > On 10/20/2011 10:18 AM, Arno Wagner wrote: > > I don't think anybody ever invested the money needed > > to find out. > > Well, maybe you noticed some changes in dmcrypt and even > cryptsetup which were directly closely related > to this problem. Relax. I basically said the same thing as you, just that AFAIK nobody applied for a certification (which costs money). And the only way to really find out is to invest that money and apply for certification. > AFAIK FIPS 140-2 is always related to some hw config, > but in principle (and if you define cryptographic boundaries > properly) dm-crypt and LUKS have no serious issues here. It seems a leve-1 certification can be gotten for software only, http://www.openssl.org/docs/fips/fipsnotes.html, but this example is the rare (only?) example. Arno > The main problem is proper RNG and crypto use (you have > to use only approved RNG and only certified crypto library), > and it cannot be isolated from the kernel certification etc. > > So there are no principal problems I know about but > still some changes are needed (some of them are really > formal). > > Milan > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier