[Dnssec-deployment] SUN SCA6000 FIPS 140 certification
Paul Wouters
paul at xelerance.com
Mon Mar 28 07:43:46 EDT 2011
On Mon, 28 Mar 2011, Jay Daley wrote:
> We, like many ccTLDs, are using the SUN SCA6000 HSM in our DNSSEC infrastructure. Today we were contacted by a competing HSM vendor who claimed that the SUN SCA6000 card was not FIPS 140 certified. If any of you have been similarly contacted and want to verify the FIPS 140 certification for yourself then see entry 1050 on this list:
>
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm
Another trick I've seen used is vendors claiming to have submitted their
hardware for FIPS 140 certification, so it is "in progress", despite
never having a chance of succeeding at the level suggested.
Another issue with FIPS 140-2 is that it is easilly claimed with no real value.
For example, any RAM stick module based appliance where keys are generated and
stored in the CPU's main memory can never really pass FIPS 140-2, but if you
box it in metal with screws with a "tamper sticker", I think you can technically
claim FIPS 140-2 compliance, despite being easilly attacked using cold boot attacks
like http://citp.princeton.edu/memory/ and printing a few "tamper stickers".
Paul
More information about the Dnssec-deployment
mailing list