In WinSCP FIPS 140-2 compliant?

This may be the wrong forum to ask this question, but is WinSCP FIPS 140-2 compliant?

Thanks!

Allen Lewis

Not intended as final answer, but for reference


FIPS: https://en.wikipedia.org/wiki/FIPS_140-2
I think that Level 1 is implied with SSL? Although that document suggests the addition of hardware level encryption.

Levels 2, 3, and 4 pretty much cannot be done in software. If someone gains physical access to your hardware you have to as sume that you've been pwned.




There is a lot of PuTTY under the covers and when asked about the allowed use of cryptography, PuTTY says:

PuTTY wrote:

LEGAL WARNING: Use of PuTTY, PSCP, PSFTP and Plink is illegal in countries where encryption is outlawed. I believe it is legal to use PuTTY, PSCP, PSFTP and Plink in England and Wales and in many other countries, but I am not a la wyer and so if in doubt you should seek legal advice before downloading it. You may find this site (<invalid hyperlink removed by admin>) useful (it's a survey of cryptography laws in many countries) but I can't vouch for its correctness.

Your ban algorythm refused the preceding post because of two works until I changed the spelling.

I attempted to make a second post describing the level of fail of the word filter and was banned by username and by IP address.


Both words are containined within the PuTTY quote section.

Please unban me, I am not a spammer!

Freitag wrote:

Not intended as final answer, but for reference


FIPS: https://en.wikipedia.org/wiki/FIPS_140-2
I think that Level 1 is implied with SSL? Although that document suggests the addition of hardware level encryption.

Levels 2, 3, and 4 pretty much cannot be done in software. If someone gains physical access to your hardware you have to as sume that you've been pwned.

<-------------------------- SNIP --------------------------->

Well it is very confusing trying to understand just what the FIPS 140-2 document is trying to get at. I work for a state agency which had been using the Social Security Administration Direct Connect system to transfer quarterly information on our Child Care programs to the Child Care Bureau at NIH. They are now discontinuing using that system. We are allowed to use an SFTP client. But we must certify that the software is FIPS 140-2 compliant. My understanding is that since it implements the SSH-2 protocol - which is 140-2 compliant - then we would be OK in using it. How we demonstrate or certify that it is compliant is another matter. I was hoping Martin Prykryl could shed some light on the matter!

Thanks for the reply!!

I'm sorry, but I do not know anything about it. See FAQ.

Martin,

Thanks so much for your quick response. I was afraid that might be the case. I certainly do not blame you for not wanting to tangle with US Federal bureaucratic foolishness. A waste of valuable time and money, in my opinion!

Allen

For Federal Agencies, being "compliant" or "compatible" with a FIPS is meaningless. A product has to be VALIDATED to the FIPS to be acceptable. In the case of FIPS 140-2 validation, a product must have a validation certificate from NIST on this website: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search. That being said, a product may be a wrapper around a validated product or core, so you have to be careful to ensure that the cryptographic core is validated and has a certificate number, and ensure that the certificate cited matches to the product in use, AND to the configuration you are using. Many validations are narrow in scope.

martin wrote:

I'm sorry, but I do not know anything about it. See FAQ.

It is simply a matter of compiling the OpenSSL FIPS module and then compiling OpenSSL with the FIPS option and linking to the OpenSSL FIPS module that was built.

I would also love to see this. I have looked in the code but don't quite see where OpenSSL is getting built from. I see the openssl directory with the code, though.

Anonymous wrote:

It is simply a matter of compiling the OpenSSL FIPS module and then compiling OpenSSL with the FIPS option and linking to the OpenSSL FIPS module that was built.

I do not know anything about FIPS, but I doubt it is this easy. OpenSSL is not the only cryptographic piece of code in WinSCP.

Per an earlier post, if WinSCP provided the option to leverage Microsoft RSAENH, DSSENH crypto modules (or OpenSSL FIPS library), that would do it.

Since the libraries are already available, it sounds easy from my perspective. Then again, it's easier to drive a Ferrari than build one (and, I've done neither).

Give it some thought.

We are not building SSH implementation. We are using PuTTY code for that. And PuTTY does not have FIPS compliance.