May 2013 | SafeLogic

Archive for May, 2013

28 May 2013

The Most Patriotic Season

Happy Memorial Day, everyone!  While summer technically begins on June 21st this year, at the Summer Equinox, the season really kicked off early for Americans when we fired up the grills this weekend.  I’m just not sure there’s any better way to celebrate the spirit of the United States than this.  We set aside the day to honor the men and women who have died serving our country and keeping safe our way of life.  We socialize, we get outside, we share food, drink, and enjoy one of the longest days of the year, and then we keep the party going straight through Independence Day until we get to Labor Day, the perfect bookend for our cultural summer.

Maybe it’s all the stars and stripes, or maybe someone left Toby Keith’s greatest hits on perpetual repeat, but I’m feeling awfully proud to be an American, and I’m honored to be part of a system built to keep our information safe.  From George Washington’s Culper Ring until today, encryption has been a vital part of the establishment of this nation and our ascent to become a superpower.  It is arguably even more important now, as the technology that enables us also makes us vulnerable, if standards are not upheld.  Everything we have worked so hard to build, whether it is federal intel or private intellectual property, plays a part in the greatness of this country and should be encrypted and protected to the highest levels available.

The pride I feel spans much further than the borders of these fifty states.  It carries across political lines and national boundaries.  It covers every continent on earth.  When you work in this industry, it’s more than a job.  It’s a responsibility to bring the absolute best technology to the table every day.  People, no matter where they are from, deserve to have their information secured with zero compromises.  And that’s just how we roll here at SafeLogic.

Uncle Sam


21 May 2013

Let’s talk about Suite B

I’m asked about Suite B at least once per week.  The questions usually come from customers and end users (non-Federal, mainly healthcare, actually).  So let’s talk about what Suite B really is, and how it pertains to federal and private sector enterprises.

Suite B is the designation for the collection of commercial algorithms deemed acceptable by the NSA for processing data in classified environments.  Suite A is also a collection of algorithms used to protect information in a classified environment, but unlike Suite B, the algorithms themselves are classified in Suite A.  So don’t expect any future blog posts discussing those!

The Suite B algorithms are as follows:

In the words of SafeLogic’s technical advisor Whit Diffie, “The importance of validating cryptographic implementation is second to nothing in information security.”  Implementations should be validated in accordance with the National Security Telecommunications and Information Systems Security Policy (NSTISSP) No. 11, Revised Fact Sheet National Information Assurance Acquisition Policy, the details of which are highlighted.


Beyond the mechanisms specified in NSTISSP No. 11, there are no third-party certification programs for Suite B compliance.  Currently, the only affirmation of compliance comes from the vendor themselves… something to keep in mind when evaluating a crypto solution.

About Suite B and FIPS 140

Suite B and FIPS 140 are complementary but completely different programs.  FIPS 140 is the technical standard that specifies requirements for cryptographic modules (self tests, integrity checks, key management, etc.).  Suite B is the collection of non-classified algorithms deemed acceptable for use in classified environments/applications.  Suite B does not imply FIPS 140 conformance, just as FIPS 140 doesn’t imply Suite B conformance.  Suite B algorithms are included among those approved by NIST for use in FIPS 140, but there are others available as well.

Ray, What’s the Point?

My point is simply this: by electing to use Suite B algorithms, you are assured of the highest level of encryption.  They are approved for use  in FIPS 140 validated solutions, which in turn makes them suitable for FISMA and other standards.  There is no scenario in enterprise or consumer usage in which Suite B algorithms are not appropriate.James Bond

My mother used to tell me that it was always better to be overdressed than underdressed.  While James Bond’s tuxedo wasn’t ideal for chasing down bad guys with machine guns, Rambo would never have made it past the door of the diplomatic cocktail party that 007 blended right into.

Suite B is Bond’s tuxedo – timeless, classic, and it will get you wherever you need to go.  When implemented with proper key management and other controls, these algorithms have been chosen to protect your information better than any other commercially available option out there.



8 May 2013

iOS is now FIPS Validated. So what?

This week Apple’s iOS received a FIPS 140 validation on the iOS CoreCrypto Kernel Module.  Big congratulations to Apple!  This has been in the process for well over two years, and I’m happy they got it done.  I’m an enthusiastic user of their products both personally and professionally.  I’m a shareholder as well. And as a product vendor with a cryptographic library focused on compliance, I’d be remiss if I didn’t address this latest news for our customers and our community. iOS 6

So… what now?  What does this mean for the community?

For Apple

Apple can now more easily sell their hardware running iOS to the Federal Government.  Obviously they haven’t had many problems in the past, but now they don’t have that familiar elephant in the room.  I’ll be interested to see how their sales reflect this milestone.

For Apple End Users

We can take comfort in the fact that native iOS functions (like secure storage of unlock PINs) are now protected via a validated module.  This is 100% positive and a great example of how validated cryptography benefits everyone, from your grandmother who can barely operate her iPhone, all the way to most tech savvy iPad power user.  If it needs to be secure, then protect it with a validated module.  Anything less is subject to scrutiny.

For App Developers

Here’s where it gets interesting.  App developers that are calling native iOS for crypto functions are now calling a validated module (well, for iOS 6 anyway).  This is good.  But does this give you the compliance checkmark you need?  Doubtful.

Case in point: Microsoft has a pile of FIPS 140 validations on Windows.  Yet many of the software modules that achieve validation are from other vendors that are running on Windows machines.  The fact that Microsoft has FIPS validation is irrelevant because these solutions (whether for device management or any other use) contain embedded cryptographic libraries and don’t call “native” crypto.  Part of the reason is that end users, especially in the Federal space, need that FIPS 140 validation checkmark on the solutions they are procuring.  It’s not enough for Symantec, McAfee, IBM, or anyone else to say, “we use CNG.SYS, so we meet FIPS.”  No, they need an actual FIPS certificate in their name to close that sale.  Unless the software controls its cryptography internally and it has been validated that way, it is arguably vulnerable.  This is unacceptable to federal procurement officers and increasingly a point of contention in the private sector.

The same will apply here.  Mobile platforms are simply a different form factor – it is still an operating system like Windows, and the standards for software running on iOS will be as stringent as they always have been.  Symantec recognized this, and despite Apple’s ongoing validation efforts, Symantec App Center has FIPS 140 validation on their mobile piece because their customers demanded it (check out the second bullet point under Key Features).

For SafeLogic

Frankly, there is tremendous upside for us.  Now more iOS devices will be in use with the federal government, creating more demand for apps and solutions that will still require FIPS validation on their own.  App developers cannot rely on iOS crypto not to change, or to maintain certification.  By using CryptoComply, app developers have the opportunity to control their crypto platform and provide the most secure solutions possible for these deployments.  The cryptographic module is tightly coupled with your app, and you’ll have a common API between iOS and Android to ease development.  Best of all, you can easily get a certificate in your name to knock down that big deal.

So basically, FIPS 140 validation for Apple’s iOS 6 is a big deal – it shows their commitment to security, and it demonstrates how important it is to validate encryption from top to bottom.  But it is not a panacea.  It doesn’t solve every challenge.  In fact, it creates an increased need for further encryption validations as more devices are used in critically secure contexts.  This is an important step for the mobile community, and I’m excited about what will come next.