[31773] in cryptography@c2.net mail archive
[rsalz@us.ibm.com: Re: FIPS 140-2 Validation Revoked]
daemon@ATHENA.MIT.EDU (Eugen Leitl)
Thu Jul 20 13:10:36 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 19 Jul 2006 13:40:49 +0200
From: Eugen Leitl <eugen@leitl.org>
To: Cryptography List <cryptography@metzdowd.com>
--i4WgBwpUkbQcesZD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
----- Forwarded message from Richard Salz <rsalz@us.ibm.com> -----
=46rom: Richard Salz <rsalz@us.ibm.com>
Date: Wed, 19 Jul 2006 01:09:12 -0400
To: openssl-dev@openssl.org
Cc: jmw@oss-institute.org
Subject: Re: FIPS 140-2 Validation Revoked
X-Mailer: Lotus Notes Release 7.0 HF144 February 01, 2006
Reply-To: openssl-dev@openssl.org
I wish to make it very clear that in this message I am speaking solely as=
=20
an individual, and do not represent my employer or its views in any way at=
=20
all.
> We don't know the full story behind this yet, and perhaps never will. As
> John Weathersby noted in the article, "This is not about technology".
This is baloney.
The "boundary" around the formerly-validated code was completely wrong --=
=20
a simple analysis showed that code within the "FIPS container" called code=
=20
outside the container. A sample program showed how this led to trivial=20
breaks in security. I have seen a document that had this analysis, and=20
included a sample program that printed all private keys to the screen and=
=20
when asked for random numbers always returned the same value. I know this=
=20
document was given to the module authors and the validation lab. The=20
authors ignored this and also convinced the validation lab to ignore it.=20
The lab (I'm really glad they're not a subsidiary of my employer any more)=
=20
trusted the vendor; had they performed the most basic due diligence --=20
compile the program! -- they would have seen that the code should not have=
=20
passed. Hell, 'nm fipscanister.o | fgrep U' would have shown it!
There were other problems as well. For example, the DES/3DES self-test did=
=20
not test encryption. Even worse, the implementation tested isn't the one=20
used by the public API's. (OpenSSL includes multiple DES/3DES=20
implementations.)
Open source is not magic pixie dust that allows you to ignore basic=20
reality. The certified code had serious flaws that were known to the=20
parties involved in certification, yet they went ahead anyway. CMVP did=20
the right thing. Can you imagine the damage that could have been done if=
=20
either critical systems were built using that code, or if a true enemy of=
=20
the open source movement published the sample code after it had widespread=
=20
use?
It greatly saddens me to say this, but unless there are significant=20
changes in the process and/or participants, I will continue to advise=20
anyone who wants to rely on a FIPS-ccertified OpenSSL that it is not safe=
=20
to do so.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org
----- End forwarded message -----
--=20
Eugen* Leitl <a href=3D"http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
--i4WgBwpUkbQcesZD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEvhpBdbAkQ4sp9r4RAvgLAKC2fsqfu3iIg3aBr1HB4bxryXIvDACdHziE
j2CzWe0P0AFa/0fB8u6Qs6w=
=9R5X
-----END PGP SIGNATURE-----
--i4WgBwpUkbQcesZD--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
