Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×

Open-Source or FIPS-Validated Disk Encryption? 74

Posted by Cliff from the peer-review-or-third-party-approved dept.
j_crane asks: "Our company is looking for disk encryption software that runs on Windows XP/2003 and Linux. There are hundreds of commercial disk encryption programs (most are Windows-only though). Some of them are FIPS-validated by the US NIST, but none of these are open-source. On the other hand, there is an excellent open-source on-the-fly disk encryption software, called TrueCrypt, for Windows and Linux (the program even provides plausible deniability), but it does not have a FIPS-validation. Which would you prefer -- open source or FIPS-validated -- and why?"
This discussion has been archived. No new comments can be posted.

Open-Source or FIPS-Validated Disk Encryption? More

Open-Source or FIPS-Validated Disk Encryption?

Comments Filter:

  • Depends (Score:3, Interesting)

    by Sycraft-fu ( 314770 ) on Tuesday April 18, 2006 @07:56PM (#15153687)
    How concerned are you that this is safe and what are your resources? Something like TrueCrypt is tempting because of low price. However OSS isn't some magical security gaurentee. You don't know it's secure unless someone competent has looked at the code and verified it is. If you have people that are competent, then you can have them audit the code and make sure it's good. Otherwise, it's no different than CSS, you assume that the people who wrote it know what they are doing, but you haven't checked.

    Certified softwares, someone else competent has checked for you. You can be as certian as is possible that there's not a problem.

    Now maybe you don't care. You can be pretty sure TrueCrypt is good stuff. It's implementing public alogrithms that have been extensively evaulated, and people HAVE looked over the code and found nothing to worry about so far. However that's not the same as trained, competent people doing a specific, intensive audit.

    So if you can do the audit in house, and trust your people more, go OSS. If you can't and you are concerned that one hasn't been done, go FIPS.

  • OpenSSL is FIPS 140-2 validated (Score:3, Interesting)

    by baasnad ( 836461 ) on Tuesday April 18, 2006 @09:38PM (#15154295)
    OpenSSL is FIPS 140-2 validated:

    http://csrc.nist.gov/cryptval/140-1/1401val2006.ht m [nist.gov]

    Look for # 642

    This was (is) the first case of open source software being validated, as opposed to a specific product.

    It is important to note that FIPS 140-2 validation simply, proves that the cryptographic algorithms (the math) has been implemented correctly, it does not necessarily mean that the system actually works as advertised.

    Also, if you are a government type or contractor, make sure the vendor supplied product actually uses the version that received accreditation. Many times, that was an older version, but the marketing types keep (falsely) stating that the product is FIPS certified!!!

Slashdot Top Deals

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Close