http://www.nwfusion.com/news/0111ntcrypt.html

NT 4.0 flunks cryptography test
Another service pack fix and interoperability woes for users are the results.
By Ellen Messmer
Network World, 01/11/99
Washington, D.C.

Last summer, Microsoft hoped to see NT 4.0 breeze through government tests
of encryption features such as Data Encryption Standard and digital
signatures. But things didn't go exactly as planned. Products must pass
the Federal Information Processing Standard (FIPS) 140-1 certification
test before they can be sold to the U.S. and Canadian governments. Not
only did the Redmond, Wash., giant fail the cryptography tests, but
Microsoft officials now acknowledge that the lab scrutiny exposed
shortcomings in NT's cryptographic processing that will force Microsoft to
redesign the operating system. Microsoft expects to issue a service-pack
upgrade later this year - once NT finally makes it through FIPS 140-1
testing. "We expect this to happen early in the first quarter, but we have
to allow for additional delays," says Patrick Arnold, program manager at
Microsoft Federal Systems. The Microsoft code fix, however, will prevent
users who apply it from using Internet Explorer 4.0, Outlook 98 and
perhaps other applications, such as the Microsoft Internet Information
Server. "Only Internet Explorer 5.0 will know how to work in FIPS mode," 
Arnold explains, adding Microsoft is still assessing the application
interoperability problems that will result from the fix. Microsoft has
already released NT Service Pack 4, which was supposed to be the last
upgrade for NT 4.0. The company has not yet announced the FIPS upgrade and
has not explained whether all users - or just the ones that need the FIPS
compliance - will be urged to upgrade. The problems, which were uncovered
at CygnaCom Solutions, a government-certified testing lab, are related to
NT 4.0's CryptoAPIs. 


Government reaction

Government users, especially the Department of Defense, which bought tens
of thousands of NT 4.0 servers, are bracing for impact. "Will our
department upgrade and work through the interoperability problems? 
Absolutely," says Dick Schaeffer, a Defense Department security manager. 
"FIPS 140-1 is an important benchmark that tells us an encryption module
is working right." Prodded by the Defense Department to meet government
encryption standards, Microsoft insists that NT 4.0 and NT 5.0 will
henceforth be designed around FIPS 140-1. And there will be only one
version of NT - the FIPS version - sold to the government and commercial
sectors. Microsoft admits it might have sidestepped the interoperability
mess if it had gotten into the government's test program earlier. "We got
into this a bit late," Arnold confesses. "We weren't effectively paying
attention." Late indeed. The FIPS 140-1 test program was started five
years ago by the National Institute of Standards and Technology (NIST),
with help from the National Security Agency. During the past two years,
the government established a vigorous test regime with three certified
labs. Last year, agencies were told they had to start buying FIPS 140-1
products to protect sensitive but unclassified information. To date, about
30 products have won FIPS 140-1 certification, including Netscape's
Communicator client software and SuiteSpot server. According to NIST
officials, 30 other products are undergoing testing. Government agencies -
in theory - shouldn't be using NT to protect sensitive but unclassified
information because it isn't FIPS 140-1certified, says Miles Smid, manager
of security technology at NIST. Agencies can ask for a waiver, but the
reality is that none have bothered - the lack of FIPS 140-1 products in
the market seems to be excuse enough. "FIPS 140-1 is very important, but
there aren't enough products to buy," says the Defense Department's
Schaeffer. 

=-=-=-=

Forwarded From: Phillip Renouf 
Originally From: Jason Garms 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

To clarify: Microsoft absolutely did NOT fail the FIPS 140-1 testing. The
DSS CSP (the module being tested) has not been undergone final testing, so
it is not possible that it failed. 

Jason Garms
Product Manager
Windows NT Security
Microsoft Corporation
JasonG@Microsoft.Com