Question about Algorithm Validations
Werner Koch
wk at gnupg.org
Tue Sep 22 11:09:36 CEST 2009
On Mon, 21 Sep 2009 22:36, tschaible at gmail.com said:
> 1. I'm working under the assumption that libgcrypt is a library that
> encapsulates the cryptographic algorithms and that libgcrypt is used
> only by gpg 2.x or greater. gpg 1.4.x does not use libgcrypt and
> updates to libgcrypt are not necessarily being patched back into the
> gpg 1.4 codebase. Is this correct?
Right. However we have added support for newer algorithms also to gpg
1.4 (e.g. Camellia).
> 2. I've read some forum posts that state that libgcrypt is tested
> against the NIST CAVS test suite and that 1.4.4 has passed and all
> tests and is validated by NIST? Is this correct? If so, does anyone
> know which algorithms/validation #'s libgcrypt was validated under? I
> can't seem to find them in the NIST database.
It is still under evaluation; on the NIST site you find a list of such
modules. However before a final evaluation is done the testlabs do
internal testings and it happens that I know that Libgcrypt passed them.
> 3. Assuming gpg 1.4.x doesn't use libgcrypt directly, what are the
> procedures for validating its algorithms (NIST or otherwise)?
If you want to do that a lot of work is waiting for you and you have to
spend quite some money on that.
BTW, it seems that a evaluation of GnuPG-2 is going on in Japan.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list