Re: SSL Certs and FIPS 140-2 Compliance

I had a visit by Ingrian Networks today who appear to do what you've

spec'd out including having a FIPS compliant system (which appear 

to only be required by governmental and military purchasers...).

Ingrian may still be a 'startup' running on venture capital  -- if that is a

concern to  your client you may want to have their bona fides checked

out and/or ask them for references.

Their DataSecure (hardware) Appliance and NAE software (Network-

Attached Encryption) engine is a central service on the network which

is then called via API to process SSL. http://www.ingrian.com/products

They have 3 lower-end Appliances but the higher end 325 is FIPS 140-2 compliant:

Ingrian i325 DataSecure Appliance. The i325 offers the same features as the i321, and also has an integrated FIPS 140-2 Level 3 compliant hardware security module for private and symmetric key management. The i325 processes over 2,000 cryptographic operations per second. For more info, see the i325 data sheet (PDF: 391k).

    http://www.ingrian.com/resources/datasheets/i325-ds.pdf

In addition to SSL acceleration for web & other mid-tier servers they are also 

marketing the Appliances at the database encryption market -- with crypto APIs and 

connectors/software for various platforms and databases (Oracle, SQLServer, DB2).

Disclaimer: I'm not affiliated with this company, nor have I used their product(s).

- H. Morrow Long, CISSP, CISM, CEH

  University Information Security Officer

  Director -- Information Security Office

  Yale University, ITS

On Aug 22, 2005, at 4:43 PM, Ryan Barnett wrote:

I am hoping that some other people on this list have some info on this

area.  I will try and make it brief.

I am contracted with a US Goverment Bureau to secure their web

environments.  We are running into some issues with how they have been

creating/implementing/managing their SSL certs for web servers with

regards to FIPS 140-2 -

http://csrc.nist.gov/cryptval/140-1/FIPS1402IG.pdf.

We have addressed the issue of utilizing a FIPS 140-2 certified crypto

module to create the CSR and manage the signed cert.  The issue that

we have is that they originally submitted only one CSR for their main

website (e.g. - www.govvernmentx.gov).  They then took this one SSL

cert and private key and implemented it onto many different web

servers that were functioning as DMZ reverse proxies.  The upstream

network provider handled load-balancing with BigIP and they didn't

know which of the DMZ servers the client would hit, which is why they

all had the same cert.

The FIPS compliancy issue seems to be that the SSL signed cert and

private key should only exist in one location - otherwise this

violates the whole reuse of keys sections.  In this case, FIPS is

making it difficult to leverage typical load-balancing

implementations.

Has anyone else, who works with the government, run into a similar

scenario?  The only option that we are kicking around is to implement

some sort of hardware SSL accelerator on the network and consolidate

our SSL functions on this host.

Any recommendations? 

-- 

Ryan C. Barnett

Web Application Security Consortium (WASC) Member

CIS Apache Benchmark Project Lead

SANS Instructor: Securing Apache

GCIA, GCFA, GCIH, GSNA, GCUX, GSEC

---------------------------------------------------------------------

The Web Security Mailing List

http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives

http://www.webappsec.org/lists/websecurity/archive/