Topic "In WinSCP FIPS 140-2 compliant?"

Author Message
locoowl
[View user's profile]

Joined: 10 Oct 2008
Posts: 3
Location: South Carolina
This may be the wrong forum to ask this question, but is WinSCP FIPS 140-2 compliant?

Thanks!

Allen Lewis
Advertisements
Freitag
[View user's profile]

Joined: 25 Oct 2007
Posts: 48
Not intended as final answer, but for reference


FIPS: http://en.wikipedia.org/wiki/FIPS_140-2
I think that Level 1 is implied with SSL? Although that document suggests the addition of hardware level encryption.

Levels 2, 3, and 4 pretty much cannot be done in software. If someone gains physical access to your hardware you have to as sume that you've been pwned.




There is a lot of PuTTY under the covers and when asked about the allowed use of cryptography, PuTTY says:


PuTTY wrote:
LEGAL WARNING: Use of PuTTY, PSCP, PSFTP and Plink is illegal in countries where encryption is outlawed. I believe it is legal to use PuTTY, PSCP, PSFTP and Plink in England and Wales and in many other countries, but I am not a la wyer and so if in doubt you should seek legal advice before downloading it. You may find this site useful (it's a survey of cryptography laws in many countries) but I can't vouch for its correctness.
I am Freitag

Guest


Your ban algorythm refused the preceding post because of two works until I changed the spelling.

I attempted to make a second post describing the level of fail of the word filter and was banned by username and by IP address.


Both words are containined within the PuTTY quote section.

Please unban me, I am not a spammer!
locoowl
[View user's profile]

Joined: 10 Oct 2008
Posts: 3
Location: South Carolina
Freitag wrote:
Not intended as final answer, but for reference


FIPS: http://en.wikipedia.org/wiki/FIPS_140-2
I think that Level 1 is implied with SSL? Although that document suggests the addition of hardware level encryption.

Levels 2, 3, and 4 pretty much cannot be done in software. If someone gains physical access to your hardware you have to as sume that you've been pwned.


<-------------------------- SNIP --------------------------->

Well it is very confusing trying to understand just what the FIPS 140-2 document is trying to get at. I work for a state agency which had been using the Social Security Administration Direct Connect system to transfer quarterly information on our Child Care programs to the Child Care Bureau at NIH. They are now discontinuing using that system. We are allowed to use an SFTP client. But we must certify that the software is FIPS 140-2 compliant. My understanding is that since it implements the SSH-2 protocol - which is 140-2 compliant - then we would be OK in using it. How we demonstrate or certify that it is compliant is another matter. I was hoping Martin Prykryl could shed some light on the matter!

Thanks for the reply!!
prikryl
[View user's profile]
Site Admin
Joined: 10 Dec 2002
Posts: 18917
Location: Prague, Czech republic
I'm sorry, but I do not know anything about it. See FAQ.
_________________
Martin Prikryl
locoowl
[View user's profile]

Joined: 10 Oct 2008
Posts: 3
Location: South Carolina
prikryl wrote:
I'm sorry, but I do not know anything about it. See FAQ.


Martin,

Thanks so much for your quick response. I was afraid that might be the case. I certainly do not blame you for not wanting to tangle with US Federal bureaucratic foolishness. A waste of valuable time and money, in my opinion!

Allen
I am Freitag

Guest


I am Freitag wrote:
Your ban algorythm refused the preceding post because of two words until I changed the spelling.

I attempted to make a second post describing the level of fail of the word filter and was banned by username and by IP address.


Both words are contained within the PuTTY quote section.

Please unban me, I am not a spammer!


I really am not a spammer!!! Please do unban me
prikryl
[View user's profile]
Site Admin
Joined: 10 Dec 2002
Posts: 18917
Location: Prague, Czech republic
I am Freitag wrote:
I really am not a spammer!!! Please do unban me

Sorry. Done. The ban was automatic.
_________________
Martin Prikryl
Guest




For Federal Agencies, being "compliant" or "compatible" with a FIPS is meaningless. A product has to be VALIDATED to the FIPS to be acceptable. In the case of FIPS 140-2 validation, a product must have a validation certificate from NIST on this website: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm. That being said, a product may be a wrapper around a validated product or core, so you have to be careful to ensure that the cryptographic core is validated and has a certificate number, and ensure that the certificate cited matches to the product in use, AND to the configuration you are using. Many validations are narrow in scope.
Guest




prikryl wrote:
I'm sorry, but I do not know anything about it. See FAQ.


It is simply a matter of compiling the OpenSSL FIPS module and then compiling OpenSSL with the FIPS option and linking to the OpenSSL FIPS module that was built.

I would also love to see this. I have looked in the code but don't quite see where OpenSSL is getting built from. I see the openssl directory with the code, though.
prikryl
[View user's profile]
Site Admin
Joined: 10 Dec 2002
Posts: 18917
Location: Prague, Czech republic
Anonymous wrote:
It is simply a matter of compiling the OpenSSL FIPS module and then compiling OpenSSL with the FIPS option and linking to the OpenSSL FIPS module that was built.

I do not know anything about FIPS, but I doubt it is this easy. OpenSSL is not the only cryptographic piece of code in WinSCP.
_________________
Martin Prikryl
jfh2210

Guest


Per an earlier post, if WinSCP provided the option to leverage Microsoft RSAENH, DSSENH crypto modules (or OpenSSL FIPS library), that would do it.

Since the libraries are already available, it sounds easy from my perspective. Then again, it's easier to drive a Ferrari than build one (and, I've done neither).

Give it some thought.
prikryl
[View user's profile]
Site Admin
Joined: 10 Dec 2002
Posts: 18917
Location: Prague, Czech republic
We are not building SSH implementation. We are using PuTTY code for that. And PuTTY does not have FIPS compliance.
_________________
Martin Prikryl
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License