[ISN] Developers say FIPS 140-2, WiFi security are big hurdles

InfoSec News isn at c4i.org
Wed Jan 26 02:31:43 EST 2005


By Susan M. Menke 
GCN Staff

Developers at a recent encryption conference in Toronto said their
toughest job is plugging security holes in their products to meet the
encryption requirements of Federal Information Processing Standard

The conference, sponsored by elliptical-curve cryptography vendor
Certicom Corp. of Mississauga, Ont., drew 60 top systems integrators
and middleware vendors from around the world, who were subsequently
surveyed about their concerns.

"FIPS 140-2 compliance is difficult and time-consuming," Certicom's
Brendan Ziolo said. "A surprising number of implementations fail, and
the testing can take eight to 12 months." About 30 percent of new
crypto modules do not pass the FIPS 140-2 tests, designed by the
National Institute of Standards and Technology, he said, and about 20
percent of returning modules still have security flaws.

Another hurdle is wireless security, "A lot of middleware developers
are looking to extend their applications to wireless, but the Wired
Equivalent Privacy algorithm was broken very quickly, and no real
standard has replaced it," Ziolo said.

In the survey, developers ranked fast, efficient performance as the
top criterion for organizations trying to strengthen encryption
security. Other important concerns are quality of the chosen algorithm
and access to the source code, they said.

Sixty percent of the respondents said they use open-source and other
publicly available algorithms during product development; 40 percent
continue to use it in their production systems.

More information about the ISN mailing list