Video Screencast Help

What does it mean to activate FIPS in opions / advance tab?

Created: 14 Jan 2012 • Updated: 17 Jan 2012 | 10 comments
This issue has been solved. See solution.

While playing around with PGP, trying to figure out how to fix all these many many problems I have been having, I can across a control that I do not understand.

 

When I press Tools then Options, and click the Advance Tab, I see an option to "Activate FIPS 140-2 operational and integrity checks."  What does this do?  I know what FIPS-2 is, but since I do not have a Self Encrypting Hard drive (just a regular one), will this do anything for me?  I'd like to have as much security as possible, so I am hoping that this will add to things.

 

 

Thanks!

Comments 10 CommentsJump to latest comment

Tom Mc's picture

From the Help file:

Activate FIPS 140-2 operational and integrity checks. Select this option if you or your organization require FIPS 140-2 checks, but be aware that it slows down your computer’s performance. You must reboot your computer for this setting to take effect. This option is available only in standalone installations.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Heywood's picture

I read that, too, but I have no clue as to what all that means.  What operation & integrity checks does it run?  Does it have something to do with making random numbers?

 

I have not noticed any kind of slow down.  I am using a Dell T7500 with 24 GB of DDR3 RAM on Win 7 Ultimate 64-bit.

 

But what do I know?  I am totally clueless about this stuff.  I only bought the product because we had a break in at the office and several of our computers were stolen that contained legal & financial records.  So I found a Google reference to this product.

 

Just downloading the product and installing it is about the extent of my computer skills in this regard.  Oh, and I do play a pretty mean game of CoD!

Tom Mc's picture

I don't have anything more specific to your question, but you may find this interesting: http://www.symantec.com/docs/TECH149193

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

dfinkelstein's picture

The set of tests performed by the SDK are defined in the Security Policy document.

http://csrc.nist.gov/groups/STM/cmvp/documents/140...

Run the tests to ensure that the SDK module has not been tampered with and that all the algorithms are working correctly.  In general people do not enable the tests unless required to do so by their organization.

--------

David Finkelstein

Symantec R&D

Heywood's picture

Okay.  Well I have read all this stuff (thanks for the links).  I guess what it means is that the PGP program runs self-tests to make sure the cryptographic software has not been compromised at all?  And if it does not pass the self tests then it will not allow anything to work.

 

Is that correct?  That this PGP SKD module is a software thing within PGP??

 

So by clicking that button that I originally mentioned it will cause the PGP to do self tests at start up or whenever to make certain that this SDK module does its job properly and hasn't been messed with?

 

Is that right?

dfinkelstein's picture

The PGP SDK is the cryptographic provider for all PGP products.  It is a library that is distributed with our products (though it is also available for third parties to license and use).  PGP Desktop (PGP WDE, PGP NetShare, PGP Desktop Email, PGP Zip, etc.), PGP Command Line, and PGP Universal all use the PGP SDK for key generation, random number generation, encryption, digital signatures, etc.

The National Institute of Standards and Technology has programs to verify that cryptographic implementations are correct (CAVP, the Cryptographic Algorithm Validation Program) and that a cryptographic module itself is secure (CMVP, the Cryptographic Module Validation Program).  E.g., the CMVP requires that a module properly zeroize keys in memory when they are no longer in use.  We submit the PGP SDK for algorithm testing, and for module validation.  On the NIST CAVP and CMVP websites you can find our algorithm and module validation certificates.

If your module is validated under FIPS 140-2 (Federal Information Processing Standards "Security Requirements for Cryptographic Modules") a user of your module must be able to ensure that the module has not been tampered with, and that the algorithms are still working properly (e.g., that your random number generator has not gotten "stuck" and is spitting out the same number over and over).  Some agencies of the government (both US and foreign) as well as contractors who work with the government (e.g. defence contractors) often need this assurance that the cryptography has been implemented correctly and that it has not been tampered with.

If you enable the checkbox, the self-tests are executed when PGP Desktop starts up.

Regards,

--------

David Finkelstein

Symantec R&D

Heywood's picture

Finkelstein - you are my new hero!  What a most excellent explanation!  Very understandable.

 

When you say that CMVP requires that a module properly zeroize keys in memory when they are no longer in use , does that have something to do with a hack that I heard of whereby you freeze the RAM chips so as to access the key?  Does this 'zeroization' prevent that, or does it do something else?

Heywood's picture

When you say that CMVP requires that a module properly zeroize keys in memory when they are no longer in use , does that have something to do with a hack that I heard of whereby you freeze the RAM chips so as to access the key? Does this 'zeroization' prevent that, or does it do something else? 

dfinkelstein's picture

Zeroizing keys after encryption or decryption has completed ensures that the memory that held the key material is cleared, so that the next process that is given that memory address can't read the key information from its memory space.

The "cold boot" attack where you freeze RAM chips was against Full Disk Encryption products.  Such products require that the disk key be resident in the driver's memory, so that they can continue to decrypt and encrypt disk blocks.  During normal operation there isn't really a time that the driver is "done" with the key and can zeroize that memory.

--------

David Finkelstein

Symantec R&D

SOLUTION
Heywood's picture

Thank you so much for taking the time to explain this to me!!!!!!!!!!!!!smiley