3

The question pertains to some specs (FIPS) that require the SChannel modules used for TLS perform a self test prior to use to validate that they have not been compromised. FIPS is one example. In the Open source libraries there are self tests built in. Does SChannel have this capability? I am not able to find any reference to this, yet it seems odd that this would be left out.

I hope that makes the question less vague and ambiguous. I believe this is a question that can reasonably be answered by someone that has deep knowledge of the SChannel API.

Added: My understanding of FIPS level 1 and certainly level 2 is that the operation of the algorithms needs to be verified at run time (self test) not just when originally certified. Additionally, the image in memory needs to be validated with a hash or some such to make sure it has not been changed.

If these things are not done a run time, the potential for a patched library exists does it not?

pnuts
  • 58,317
  • 11
  • 87
  • 139
Mike Trader
  • 8,564
  • 13
  • 55
  • 66

1 Answers1

2

FIPS certification is acheived for a given cipher suite on a given OS configuration. Certification will give you a level a It will give you a level, 1 being the highest you can acheive on regular hardware, but the lowest level security wise.

Now back to your question...

Starting from the cipher suites used SChannel, we can work our way up to the FIPS certificate from this page.

According to the PDF scan of the FIPS certificate (for Windows 7 Ultimate) or the 1337 certificate of Windows Server 2008 R2 64bits, you see on their second page that Self-Tests were certified at level 1.

So yes, SChannel does have self test capability, because it leverages the self-test capabilities of lower components. But if shifts some of the burden to you to validate that your software uses only certified components in a certified environment.

ixe013
  • 9,559
  • 3
  • 46
  • 77
  • "1 being the highest you can acheive on regular hardware" have you got a link to how this scoring works? – Basic Feb 13 '12 at 08:49
  • 1
    I don't have that link. I guess you could acheive level 2 on regular hardware, but certification is not free. The premium you will pay for a level 2 server will probably remove it from the "regular" category. From http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf "Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module." – ixe013 Feb 13 '12 at 15:27