Since last summer, Microsoft has been trying to get a US government C2 security rating for NT 4.0, but NT is still without the coveted C2 seal of approval.
Now Microsoft is scaling back its expectations, warning that it has no idea when or if NT 4.0 will actually earn a C2 security rating from the National Security Agency (NSA). The C2 problems are hurting Microsoft's chances at gaining another government security rating, the Federal Information Processing Standard (FIPS) 140-1.
Microsoft was hoping to get a FIPS 140-1 rating by using a C2-certified NT 4.0 workstation and server for the tests. It is now a mandatory purchasing rule for government users in the U.S. and Canada that products must have FIPS 140-1 certification if the user needs to secure sensitive but unclassified applications. The banking industry has also begun to state a preference for FIPScertified products.
The NSA rates computer security from a low of "D" to a high of "A1." Microsoft has been shooting for the mid-range of C2, which the NSA defines as a system with "finely grained discretionary access controls" that makes "users individually accountable for their actions" through logon procedures, audits and other means.
For FIPS 140-1, Microsoft was aiming to earn a Level 2 evaluation for its NT 4.0 crypto-modules for the workstation and server space. This requires running the crypto on top of an NSA-certified trusted operating system.
But with hopes dimming for a quick C2 passing grade for NT 4.0, Microsoft will now seek the more modest Level 1 certification for its cryptomodules, according to Jason Garmes, Microsoft's lead product manager for security. "I expect this should be done in June at the latest," Garmes says.
A Level 1 rating shows that the crypto algorithms and key management are working correctly. But this type of review doesn't examine the role the operating system can play in security protection, as happens in Level 2.
Microsoft has informed government users from the U.S. Department of Defense and civilian agencies that the Internet Explorer 5.0 browser will have a FIPS 140-1 mode. Internet Explorer 4.0 won't be FIPS 140-1 compliant.
In addition, Microsoft will create a FIPS 140-1 version of its Outlook mail client so that the Secure Multi-purpose Internet Mail Extensions piece of Outlook can take advantage of the Level 1 crypto-modules.
"Level 1 is a minimal level of security. It's only for running on a single-user operating system, while Level 2 is a significant step up and tough to do," says Matthew Appler, vice president of Corsec Technology, an engineering firm that counsels firms on FIPS 140-1 testing. "But about 75 percent of the requirements should be the same."