ICMC: Welcome and Plenary Session

Congratulations to Program Chair Fiona Pattison, atsec information security, for putting together such an interesting program for this inaugural International Cryptographic Module Conference.   She has brought together an amazingly diverse mix of vendors, consultants, labs and NIST.  People from all over the world are here.

Our first keynote speaker is Charles H. Romine, Directory, Information Technology Laboratory, NIST. Mr. Romine started off his talk by noting how important integrity and security is to his organization.  Because of this, based on community feedback, they've reopened review of algorithms and other documents.  Being open and transparent is critical to his organization.

NIST is reliant on their industry partners for things like coming up with SHA3.  They are interested in knowing what is working for their testing programs and what is not working, hopefully they will get a lot of great feedback at this conference.

Because these validations are increasingly more valuable in the industry - demand for reviews have gone up significantly. How can NIST keep the quality of reviews up, while still meeting the demand? Mr. Romine is open for feedback from us all.

Our next keynote was Dr. Bertrand du Castel, Schlumbeger Fellow and Java Card Pioneer, titled "Do Cryptographic Modules have a Moat?"

Dr. du Castel asks, is the problem with cryptography simply key exchange? Or is it really a trust issue?  With things like bitcoin (now taxed in Germany) and paypal everywhere on the Internet - it should be obvious how important trust is.  He walked us through many use examples, using humorous anecdotes to demonstrate that the importance of trust is growing and growing.


This post syndicated from: Thoughts on security, beer, theater and biking!

ICMC: Introduction to FIPS-140-2

Presented by Steve Weingart, Cryptographic & Security Testing Laboratory Manager, at atsec information security.

While I'm not new to FIPS-140-2, but as I'm here in Gaithersberg, MD for the inaugural International Cryptographic Module Conference, it's always good to get a refresher from an expert.  Please note: these are my notes from this talk and should not be taken as gospel on the subject. If you need a FIPS-140 validation - you should probably engage a professional :-)

Since the passage of Federal Information Security Management Act (FISMA) of 2002, US  Federal Government can no longer waive FIPS requirements. Vendors just simply need to comply to various FIPS standards, including FIPS-140-2 (the FIPS standard that is relevant to cryptography and security modules).  Financial institutions and others that care about third party evaluations also want to see this standard implemented.

Technically, a non-compliant agency could lose their funding.

FIPS-140 is a joint program between US NIST and Canadian CSEC (aka CSE).

All testing for FIPS-140 is done by accredited labs (accredited by National Voluntary Laboratory Scheme).  Labs, though, cannot perform consulting on the design of the cryptographic module. Could be seen as a conflict of interest, if they were seen as designing and testing the same module.  They can use content you provide to make your Security Policy and Finite State Machine (FSM), as those documents have to be in a very specific format that individual vendors will likely have trouble creating them their first time out.

A cryptograpic module is defined by its security functionality, well-defined boundaries and have at least one approved security function.  A module can be contained in hardware, software, firmware, software-hybrid, firmware-hybrid.

Security functionality can be: symmetric/asymmetric key cryptography, hashing, message authentication, RNG, or key management.

The testing lab makes sure that you've implemented the approved security functions correctly to protect sensitive information, makes sure you cannot change the module after it's been validated (integrity requirement), and that you prevent unauthorized use of the module.

Your users need to be able to query the module to see if it is performing correctly and to see the operational state it is in.

FIPS-140 has been around, originally as Federal Standard 1027, since about 1982.  Of course, as technology changes, the standard gets out of date.  FIPS-140-2 came out in 2001 with some change notices in 2002.  FIPS-140-3 has had many false starts.  A large quantity of implementation guidance has come  out (the IG is approaching, if not overtaking, the size of the initial FIPS-140-2 document).

Some brief clarifications: the -<number> on the standard refers to the version.  The first was FIPS-140, next FIPS-140-1, and the final currently adopted one is FIPS-140-2.

Each of those versions have levels that you can be evaluated at. Level one is the "easiest", level four is the hardest (available to hardware only).

FIPS-140-3 has had two rounds of public drafts, there were over 1200 comments, but it seems there is just one person still working on this draft.  In addition, there are not any Derived Test Requirements (DTR) so the labs cannot even consider writing tests for the standard.

There are new versions of "FIPS-140-3" by ISO (19790)  (released in 2012), essentially competing with the NIST draft.  Though, the original goal was to have the ISO standard be the same document, just as an international standard.

Right now, you can validate against the ISO standard in other countries - not in the US or Canada, though.  If you used an international body to validate your module against the ISO standard, it would not get you through the door to US or Canadian Government customers.

It's up to NIST and CSEC to pick one of these, create transition guidance and testing information to let vendors and labs move forward.

ISO 19790 has many improvements, but if you implement them, you will not pass FIPS-140-2 testing. For example, ISO 19790 allows lazy POST (only testing when needed), but FIPS-140-2 requires POST of the entire boundary any time any part of the boundary is used.

FIPS-140-2 has four levels, and it doesn't matter if 99% of your module meets all of the items required for a higher level (like level 2) - but 1% only meets level 1, you cannot be validated at the higher level.

The ISO document doesn't point to specific EAL common criteria levels, helping to alleviate the chicken and the egg circular dependency for FIPS-140 levels. For example, FIPS-140-2 Level 2 requires a EAL validated OS underneath.  The EAL validation requires a FIPS-140-2 validated crypto module.

The finite state model means that you can only be in one state at one time. That means you cannot be generating key material at the same time you're performing cryptographic operations in another thread. This can be very difficult to accomplish with modern day multi-threaded programs - the labs that do the validation review source code, too, so no sneaking around them!

Mr. Weingart keeps reminding us that FIPS-140 is a validation, not an evaluation.

There are some good questions about how do things like OASIS KMIP interact with the requirements for FIPS-140-2 cryptographic key management requirements?  The general thought is they should harmonize, but KMIP doesn't seem to be referenced.

Around key generation, RNG and entropy generation is very important, and with the current news - this is being heavily scrutinized by NIST right now.  Simply using /dev/random (without knowing anything about its entropy sources) is not sufficient. Of course, when you're also the provider of /dev/random, you have a bit more knowledge. We should expect further guidance in this area.

Cryptographic modules have to complete power on self-tests (POSTs) to ensure that the module is functioning properly - no shortcuts allowed! (again, your code will be reviewed - shortcuts will be seen!).  There are also some conditional self-tests - tests run when a certain condition occur, for example, generating a key.

If any of these tests fail, you must not perform *any* cryptographic operations until the failure state has been cleared and all POSTs are rerun.  That is, even if your POSTS for SHA1 fail, you cannot even provide AES or ECC.

If you make any additional "extra credit" security claims, like "we protect against timing attacks", that either needs to be  verified by the lab, or a disclaimer needs to be placed in your security policy.

Implementation Guidance

There is a lot of new implementation guidance coming up, fast and furiously.

The most contentious one is the run Power on Self-Tests all the time (whether in FIPS mode or not). This can be problematic, particularly for something like a general purpose OS or smartcards. Things that may not have been designed for this, or that just don't have great performance capabilities (like smartcards) this can make your device or system unusable for customers that do not need FIPS-140 validated hardware/software.

IG G.14, for example, has some odd things on algorithms, like RSA4096 will be removed from approval, but RSA 2048 won't be. This seems to be related to performance issues, according to discussions in the room, but that seems a harsh punishment for perf issues.  Check SP800-31A for more details about what will and will not be allowable going forward.

Cryptographic Algorithm Validation Program

Any algorithms used in approved mode need to be validated to make sure they are operating correctly.  This step is required before you can submit to the CMVP  (Cryptographic Module Validation Program).  This is a very mechanical process - you have either passed the algorithm tests, or you haven't.  CAVP turn around to issue certificates for your algorithms is typically very quick, because there isn't wiggle room or room for interpretation.

You will work with labs (22 approved ones that are accredited currently) on this, and a consulting firm that will help you to work with the labs, work on your documentation, design, architecture, etc.  You can hire another lab as a consultant, just your lab cannot consult for you. (back to that they cannot test what they designed)

Preparing yourself for validation

Read FIPS-140-2, implementation guidance, SP-800s documentations, etc.

Take training, where available and possible.

Enlist help on your design and architecture as early as possible, get a readiness assessment.

You can do your algorithm testing early, find and fix problems early in your development.

Iterate as needed (if this is your first time, you'll almost certainly have to iterate to get this right).


This post syndicated from: Thoughts on security, beer, theater and biking!

PKCS 11 Technical Committee Face to Face

This week, Oracle hosted the OASIS PKCS 11 Technical Committee's face to face meeting on our Santa Clara campus.

It was a very productive two days, I believe we got through some of the final issues to the next revision of the standard (v2.40).  Work won't finish there, it seems, as all of the committee members are excited about what we can do in the future to make PKCS 11 an even more robust interface for providing cryptographic services to applications and utilities.

As most of you already know, Solaris's user level Cryptographic Framework is a PKCS 11 API, so we're very excited to see the standard progress and evolve.

As co-chair of the committee, I am so proud of everyone's hard work in dusting off the standard and doing the hard work necessary to quickly converge to get the next revision ready to go!

The standard moved from RSA to OASIS earlier this year.

ICMC: Presenting on Software in Silicon: Crypto-Capable Processors

I will be co-presenting on crypto-capable processors at the inaugural International Cryptographic Module Conference next week, along with Dave Weaver (SPARC architect), and Wajdi Feghali (Intel).

We'll be talking about the evolution of cryptographic instructions in general purpose processors, using Solaris as the case-study example.

Are you interested in cryptographic modules, FIPS-140 validations, or crypto stuff in general?  You should register for next week's ICMC conference in Gaithersberg, MD! There's a few days left to register.

Most Influential Books in my Life

These books have changed the trajectory of my life. I've read many other good ones and have a 2 foot stack next to the bed of "to-read", but these are the books I think back on, re-read, reflect on and have changed the way I live my life.  Yes, I mean that. Changed my life.

Influence: Science and Practice

This is a short book that's just jam backed with information.  This is a science based approach to understanding how to influence others and, most importantly, to realize when you're being influenced!  Robert Cialdini covers everything from salting tip jars to how a car dealer pushes you into a car sale.

I learned simple things to getting people to do what you ask: get them to verbally commit - or even better, in email/writing. People love to be seen as "consistent", so even if they get more information later they will stick with their original statement and even create reasons why it's the correct one.  It is great when I can catch myself doing this - but is also handy when you want people who, let's say, join a group to commit to performing a certain task.

[Aside: This is what gets politicians in trouble, in my book. They don't want to be seen as "flip-floppers" so even when they are presented with new information, they refuse to change their opinion. That's absolutely horrifying to those of us with background in science and those that know the value of data driven decision making.]

For example, this is why it is important for theater producers to make sure they get all actors to sign a form committing to the performance. Each actor has just now promised they will do the show, so it will take something extreme for most to back out of the show.  I know I've stayed in shows that I was not happy with for that very reason - well, and not wanting to get blacklisted from a theater group as well!

Having this knowledge also helps you to influence your peer group and others at work, and to protect your self from compliance professionals. This should be mandatory reading in all high schools and colleges.

This book is powerful, and when you read it, you MUST promise me you won't use it for evil.

Women Don't Ask: Negotiation and the Gender Divide

This book was recommended by the incomparable Valerie Aurora, who even set up a scholarship for this book, so that more women could read it and get access to it.  Before I read Linda Babcock and Sara Laschever's book on Gender and the Negotiation Divide, I had no idea of what I was missing out on by just not asking for what I wanted!

As a good student, I was used to being recognized for my efforts - I'd get an A on a test for studying hard. Very simple effort/reward dynamic.  It's different in the real world.  If you work really hard on a project, but don't tell others why you are doing it (for a raise, promotion, comp time off, recognition, etc) - you may be lucky if you get a pat on the back in the end. You've got to say, "I'm working my tail off on this project, which is not what I'm really interested in, so you can see how dedicated I am and make me the lead of the next, more interesting project."  Or, "I really want to take a few extra days off for my honeymoon. I'm willing to work a few weekends to make sure the project is done before I leave, if I could then have a few more paid days off. Does that work for you?"

I was also blissfully unaware that most men do ask for what they want and need.  This isn't small potatoes, this stuff adds up.  A small salary negotiation before you start your job can make a big difference in your salary and retirement savings just 10 years down the road.

Most surprisingly?  Most people don't say "no" when you ask for something reasonable.  Since reading this book and "Influence: Science and Practice" , I've gotten discounts on furniture, appliances, clothing, shoes and services.

I'm by no means an expert negotiator, nor am I one of those annoying pushy people we've all met. Neither Women Don't Ask nor Influence are asking you to become pushy.

I just simply ask.

People do not read your mind. You must ask. You'll be surprised what happens.

Leadership Presence

My old mentor recommended this book to me - bringing two of my favorite things together: theater and corporate leadership. Belle Linda Halpern and Kathy Lubar use years of their own personal research and their study of theater actors into what makes a good leader.

Empathy and mindfulness are two big take aways from this book. How can you lead a team if you don't have any empathy with them? If you are not self-aware, you won't see the mistakes you're making or how you are making people uncomfortable - that's where mindfulness comes into play.

The anecdotes resonated with me, and I find myself reflecting back to them often.  How can I play a character that I can't relate to?  On stage, now, I always have a back story for my character. I always find some part of me in them and vice versa. For the first time, I've been able to cry real tears on stage.   Not stage tears. Not fake tears. Real tears.

I recall rehearsing for Best Little W*****house in Texas. I was playing a character named "Shy". She had run away from home because her father molested her.  I do not share that experience, so I read about the real women who worked at the famous Chicken Ranch. I read about how molestation breaks a young child. I listened to stories on Love Line. I found the pain, the heartbreak.

Running that scene where Shy tells the madam about her father over and over again in rehearsal physically and mentally exhausted me. Even now, I am tearing up writing about this.

Shy was not a real person, but her story was based on many real women who had lived this. I put myself in her shoes and I felt it.  [Aside: I'm in no way saying I truly understand what someone in that situation feels or went through, but merely just a slice of that. A moment.]

I do this as well in the corporate world now: I listen to my team members, hear what is going on with them, I listen for vocal variations and physical cues that tell me when someone might be uncomfortable. I take all of this in before I speak, and I'm finding it's easier to find out what works and what doesn't.

Additionally, when I do presentations now at work, I am actually acting. I think about people who I like seeing their presentations, and I simply take on that role when I get up in front of people. It's amazingly effective.

Crucial Conversations Tools for Talking When Stakes Are High

I once got in trouble at work for saying "no" too often as the technical lead of Solaris 10 Update 1.  For those of you who have been a technical lead of a large project, you know it's your job to say no - when appropriate. You need to maintain high quality, meet the customers needs and stay on schedule.

This was very frustrating when my upper management didn't "get it" and told me that I had an attitude problem.  I was irritated and hurt.

One week, the program manager for one of the projects trying to integrate into my gate complained to my upper management about how unhelpful I was and how I didn't have good reasons for my "no".  That same week, the engineers and managers on that same team brought me a literal mountain of chocolate to thank me for my patience and helping them to understand why they weren't ready and helping them get to the place they needed to be. A little behind schedule, but with the necessary quality we demand. Of course, they didn't go and compliment to my upper management.

So, I had to take this class. Being the good student I referenced earlier, I bought the book in advance and started reading it.

Wow.

Okay, so I had every right to say "no" to some projects, but how I said it and how I listened - boy, that makes a big difference.

The biggest takeaway from this book, that I still use every day, is that humans use shortcuts. We have to. We're too busy. Part of that shortcutting is to tell stories to fill in the gaps of something you hear from someone or something you see.

For example, I might see a man hold a woman's arm and my brain fills it in with the story that they are dating, but really she may have just slipped and he was helping to stabilize her or she is blind. My story is wrong, but quick.

When someone comes to me with a demand at work, I could say that they are doing it because they are an asshole who doesn't understand the process and is trying to get someone else to do their job.  Or I could tell the story that they are overworked because their boss is out on emergency medical leave and they are suddenly on multiple projects, so they are seeking help.
Neither of those might be true, but being aware that each person has a motivation for their actions, and it's rarely "because I want to be an asshole" has again helped me to live for a moment in someone else's shoes.

Another great thing I learned was how to know when my brain was taking other shortcuts that weren't going to be good.  That is, when is the lizard brain kicking in?  For me, I get tense and get butterflies in my stomach.  Now when I feel this, I realize my "fight or flight" instinct is kicking in and that I need to be careful not to raise my voice, take a deep breath, and tell alternate stories for the others - or, heck, just ask them, "what are you trying to accomplish?"

Atlas Shrugged

Whether you love or hate Ayn Rand's Objectivist philosophy or the woman herself, you have to admit she had a novel way of presenting philosophical ideas to the masses.  An ex of mine told me he thought I'd like the book. I couldn't put it down (okay, I always skip most of John Galt's ridiculous 60 page speech), but this book changed the way I read fiction, opened my eyes to a philosophy that seemed to have great promise in impacting the way we all lived.  I joined the Objectivist club on campus at Purdue, met many intelligent people and had great in depth discussions on Ayn Rand's philosophy.  I never agreed with everything she said, and I must say I am greatly disappointed at people who have taken this philosophy to the extreme to the detriment of others.  I am disgusted by what has happened when classically public run things like prisons are privatized (for example, in AZ the private companies running the prisons lobbied for MORE laws so that they could get more prisoners and make more money).

But, beyond all of that, this book opened my eyes to a  new way of thinking. A place where rational thought and logic were supreme and had merit. Showed me that I could apply logic to making decisions about my life. I did not merely need to let things happen to me, but could control what was around me.  I didn't need to stay friends with someone, if the friendship was toxic, just because it was the "nice thing to do". I didn't need to work myself to the bone for someone else for no reward.

Yes, Rand's characters are very black and white, and the movie was just awful, but as a young college woman, these new ideas changed my life.


What books have changed your life? Thoughts about any of mine?

45% of gamers are women, but don't you dare suggest women be the protagonist in a game!

Maybe it's just me, but some days I really feel like things are getting worse in the tech industry.  These two articles came across my twitter stream this week that seem like they must've been written on different planets.

The first one is from SF Gate where Derrick Lang noted the low number of female attendees at the E3 gaming conference, and how that was surprising because 45% of gamers are women. Let me say that again: 45%!

This was explained away that E3 was more for developers and not consumers (back to my post from last week).

That aside, how can I now explain that in the same universe, Anita Sarkeesian was attacked online for complaining that the latest XBox console launch didn't include any games with a female protagonist.

The attacks included these gems:




How is 45% of the marketplace not a significant number?  How is it that more than 50% of the human population is neither interesting nor capable just because of their gender?

When Geeks Attack: Marie Claire Article, featuring me.

My heart has been broken over and over again by the recent news stories about women in tech simply being attacked online. What's worse, is when someone like Alissa Quart writes an article about the types of online abuse women face along with in person abuse at conferences, she herself becomes a target.

Let me say, that I've been to many awesome conferences where nothing worse than a bit of mansplaining occurred.  But I've also been to my fair share where people called me a "scene whore", constantly asked who my boyfriend was (because why would a woman attend a technical conference by herself?), and flashed me (yes, a man showed me his genitalia on the conference room floor), to know that not all conferences are equal.

+Valerie Aurora started the Ada Initiative to help conference organizers make their events more female friendly, and encourage participation of women in Open Source.  Those of you that know Val know how active she's been in Linux and Solaris kernel development over the years: she's smart and compassionate.

Val and I met at an early DefCon - 3 or 4? At the time, still a small community with mostly nice guys (I only got 1 or 2 creeper emails following my first DefCon - which was also the last one where I used my real handle on my badge).  The conference is much larger now, and has definitely had some growing pains. It's definitely a place where you'll meet really awesome people and learn fascinating things - but there are less savory people there as well.

I have my DefCon stories. After seeing the fallout on other websites about this article and to the Ada Initiative blog entry that seemed to shine the light brightest on all of this, though, I don't feel comfortable sharing the details at this time.



Val and I were both interviewed by Alissa and photographed by Nicolas Silberfaden, a strange thing for both of us.  Two nerds in a fashion magazine? And both named Val? 

Please do check out the article.  You can find it online, but neither Val nor I had our pictures in the online version. To see our pics, you'll need to pick up the June 2013 issue of Marie Claire at any store that carries magazines.

Update: There's a great article from The Raw Story about online and in person sexual harassment covers the odd phenomen we're all witnessing now where the harassment is seen almost as a game, and when someone like Val tries to speak out against it, she's seen as a "Feminazi" and being overly political.