Microsoft Enhances Windows NT-Based Support For Key U.S. Government Security Standards

REDMOND, Wash., Aug. 31, 1998 — Microsoft Corp. today announced plans to support FIPS 140-1 and FORTEZZA, two key federal cryptographic standards important to the protection of U.S. government communications. As part of a broader federal security initiative, Microsoft plans to include in future products National Institute of Standards and Technology (NIST) FIPS 140-1-validated cryptographic modules as well as native support for secure sockets layer (SSL) Web communications using FORTEZZA.

This support underscores Microsoft’s continuing commitment to meet the security requirements of its federal customers. This commitment already includes supporting several U.S. Department of Defense initiatives, including the Defense Messaging System (DMS), Medium Assurance Messaging, Desktop and Network Security Frameworks, and Public Key Infrastructure, as well as trusted systems initiatives such as C2 compliance and evaluation.

“Product security and quality in a heterogeneous environment is of paramount importance to Microsoft,”
said Pete Hayes, general manager of Microsoft Federal Systems.
“We are committed to working actively with our partners and competitors to bring the best standards-based implementations to market.”

FIPS 140-1-Evaluated Cryptographic Modules

“The FIPS 140-1 Cryptographic Module Validation [CMV] Program is a critical element in providing federal departments and agencies with tested cryptographic products and applications,”
said Jim Foti, a member of the technical staff of the computer security division at NIST.
“Tested and validated products provide an important level of assurance for securing sensitive but unclassified government information.”

Microsoft’s first software-based FIPS 140-1 Level 2 cryptographic module is expected to complete evaluation successfully in late 1998 and be available for the Microsoft® Windows NT® Server network operating system version 4.0 and Microsoft Windows NT Workstation 4.0. A second FIPS 140-1 cryptographic module is planned to ship as a core component of Windows NT Server 5.0 and Windows NT Workstation 5.0. Microsoft plans to submit additional algorithms for validation as NIST expands the list of approved FIPS 140-1 algorithms.

“FIPS 140-1 certification is important to the Defense Department’s efforts to pursue commercial security initiatives,”
said Richard C. Schaeffer Jr., director, information assurance, Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence.

The FIPS 140-1 validation process ensures the accuracy of a given cryptographic implementation. Microsoft FIPS 140-1 cryptographic modules also address the areas of efficiency, interoperability and ease of use. These items reflect the total quality of the module. To produce this cryptographic module, Microsoft Research’s world-class team of respected cryptographers, mathematicians and researchers worked with the experienced architects and developers on the Windows NT product team to produce a cryptographic implementation of superlative quality.

“Everything we’ve seen from Microsoft so far in this process has been of the highest quality,”
said Santosh Chokhani, president of CygnaCom Solutions Inc., the lab selected to perform the FIPS 140-1 validation tests for Microsoft.
“Pursuing FIPS 140-1 validation further demonstrates Microsoft’s commitment to security and will make highly accurate and efficient software-based cryptography widely available to users and ISVs alike.”

The FIPS 140-1-validated cryptographic modules will be provided as cryptographic service provider (CSP) plug-ins for CryptoAPI, an open set of programmatic interfaces for implementing cryptographic functions in an application without requiring knowledge of the underlying algorithms. CryptoAPI is a core feature of Windows NT, and this evaluation provides independent government validation of this high-quality and flexible architecture. Any application vendor can benefit from the FIPS 140-1 evaluation by using the core cryptography built into Windows NT.

“Because e-Lock uses the open CryptoAPI architecture, we can easily provide FIPS 140-1-approved solutions to our customers cost-effectively,”
said Dr. Prakash Ambegaonkar, chairman and CEO of E-Lock Technologies Inc., developer of e-Lock, an application security suite that runs on Windows NT.
“This is a great benefit to E-Lock Technologies and our customers.”

Support for Secure Web Communications Using FORTEZZA

FORTEZZA provides computer systems with a portable hardware cryptographic mechanism to ensure secure communications and digital signatures and is part of the National Security Agency (NSA) Multi-Level Information Systems Security Initiative. FORTEZZA utilizes a specific set of NSA-approved cryptographic algorithms with a standardized programming interface. The algorithms are implemented in a secure hardware device that protects sensitive private key material.

While Microsoft already delivers FORTEZZA support in the DMS-compliant versions of Microsoft Exchange and the Outlook
™
98 messaging and collaboration client, it plans to enhance support for FORTEZZA to include secure Web communications with Windows NT using Microsoft Internet Explorer 5 and Microsoft Internet Information Services 5.0 technologies.

“The National Security Agency is delighted to learn of Microsoft’s intentions to comply with FIPS 140-1 and support SSL encryption using FORTEZZA technology,”
said John Nagengast, assistant deputy director for information systems security at NSA.

SPYRUS, one of the leading vendors of FORTEZZA products, has teamed with Microsoft to provide a CryptoAPI-based FORTEZZA cryptographic service provider for Windows NT. In addition, the SPYRUS FORTEZZA Crypto Card and LYNKS Privacy Card have been certified as FIPS 140-1 Level 2 cryptographic modules. This means that customers using these products today are already benefiting from FIPS 140-1-validated cryptographic products.

“We are pleased that Microsoft will support FORTEZZA using the LYNKS Privacy Card as a security solution for Internet Explorer 5 and Internet Information Services 5.0,”
said Sue Pontius, SPYRUS president and CEO.
“By using the same mechanism that provides secure messaging under DMS, users can now browse FORTEZZA SSL-enabled Web sites to securely access critical EDI, workflow and remote access applications.”

Founded in 1975, Microsoft (Nasdaq
“MSFT”
) is the worldwide leader in software for personal computers. The company offers a wide range of products and services for business and personal use, each designed with the mission of making it easier and more enjoyable for people to take advantage of the full power of personal computing every day.

Microsoft, Windows NT and Outlook are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.

Other product and company names herein may be trademarks of their respective owners.


Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages.

Related Posts

Microsoft Announces Internet Security Framework

Microsoft Corp. today announced the Microsoft Internet Security Framework, a comprehensive set of security technologies for electronic commerce and online communications that supports Internet security standards.