Squeak
  links to this page:    
View this PageEdit this PageUploads to this PageHistory of this PageTop of the SwikiRecent ChangesSearch the SwikiHelp Guide
Cryptography
Last updated at 8:39 pm UTC on 1 November 2006
The main goal is to provide the tools necessary so that anyone can successfully implement current cryptography into their application.

This page is a work in progress

Currently we are assembling a team, and setting team goals. for information contact: Ron@USMedRec.com

Also see our mailing list: http://lists.squeakfoundation.org/mailman/listinfo/cryptography

Cryptography Team Notes

Validation Process: 
information,
Validation Functional Requirements: 
information for both Common Criteria and FIPS.

Cryptography goals

  1. Identify and isolate Cryptographic classes and define SM package for base image classes.
  2. Maintain Current Cryptography Standards in the image.
  3. Make sure that the external package stays current with image implementations. (SHA1 and SecureHashAlgorithm are copies of each other but there were differences in implementations. I'm not sure why we need both but there you are.) If they export the same interface, it may be because of differences in processing speed on different platforms. If that's the case, we may need to implement x86, RISC, PowerPC, m68k, etc versions for when the processor is known. -Kyle H
  4. Fix errors in Cryptography in package or in image like ThrityTwoBitRegister, The byteArray appears to be implemented backwards. We will need rights to make/change assignments in Mantis.
  5. Get external US Government certification of Security for external package and image components.
  6. Research and add cryptography as necessary to stay current with cryptographic changes in the industry. Isn't this part of #2, above? -Kyle H
  7. Support CACert.
  8. Integrate Signatures and Encryption into Email Packages.
  9. Write Security Articles for cross promotion with squeak news team (and publish some articles outside this group for squeak promotion).
  10. Start Cryptography list for people using the internal or external package for cryptographic news and alerts, or changes in implementations planned so that consumers of the cryptographic code can understand what changes are needed to integrate new code. This task is complete, cryptography@lists.squeakfoundation.org -Kyle H
  11. Support PGP
  12. Fix PKI
  13. Assess adding SFTP
  14. Review ANS1 (and voip or other high profile implementations for reference implementation) Is this ASN.1? PKI depends on it anyway if that's the case – we just need to support Basic, Distinct, and XML encoding rules. -Kyle H
  15. Support and Develop SUnit cases for everything.
  16. PKI Tasks
    1. Review Current Implementation
    2. Isolate classes and convert to Monticello Format
    3. Develop / Round out Streaming Protocol (similar to SSH or SSL)
      1. Add State machine
      2. Add PKI/Diffie Hellman Handshaking
    4. Project path:
      1. ASN1 implementation
        1. Compare Cincom's non comercial version to the Squeak Asn1 implementation
        2. Port Cincom's non comercial version features or entire package if necessary
      2. x509 version3
      3. Diffie Helmann (see 12.3b)
      4. AES, 3DES and various other block and symmetric ciphers.
      5. ssl / tls version 3 of ssl.


CC validation Notes

Tasks (10/17/06)

  1. Decide on the Protection Profile(s) we want to address
  2. Define the claims and security target (Most probably we would need 3-4 configurations)
  3. Start a function List and Test Matrix
    1. Where can we host a Wiki?
      Here for now
    2. This will help us prove our case, so we should start this task ASAP
  4. Develop the ToE (Target of Evaluation – the software system that will be evaluated against the Protection Profile) -Kyle H
  5. Understand and document the CC process relevant to us. Read and mark the CC documents, talk with Labs et al
  6. Formal CC Validation effort

Task Details

Protection Profiles

  1. List of PPs http://www.commoncriteriaportal.org/public/expert/index.php?menu=8
    1. I think we would fall under the Operating Systems - Single-Level Operating Systems in Medium Robustness Environments PP Note: we must meet all protection profile objectives for everything that the base system does, or provide an automated means of configuring those things out (key management, certificate management, etc) – Kyle H
      1. Section 3 contains the threats, security policy (SP), and the assumptions made about things that affect security.
      2. Section 4 contains the objectives to be met
      3. Section 5 has the cryptographic module requirements (and there are a LOT of them -Kyle H)
  2. Interesting to see how JavaCard has done it - with it's VM, configurations et al. http://java.sun.com/products/javacard/pp.html also available at http://www.commoncriteriaportal.org/public/expert/index.php?menu=8. A perhaps more legible reference can be found at http://niap.bahialab.com/cc-scheme/pp/index.cfm, which includes most of the same data.

We have a lot of work ahead of us. Among other things:

This is just off the top of my head after reading the PP. There's a lot more, and it is going to take a lot of time to do... and what we come up with is only superficially going to resemble the current Squeak when we're done. -Kyle H