[rsalz at us.ibm.com: Re: FIPS 140-2 Validation Revoked]

Eugen Leitl eugen at leitl.org
Wed Jul 19 07:40:49 EDT 2006 

----- Forwarded message from Richard Salz <rsalz at us.ibm.com> -----

From: Richard Salz <rsalz at us.ibm.com>
Date: Wed, 19 Jul 2006 01:09:12 -0400
To: openssl-dev at openssl.org
Cc: jmw at oss-institute.org
Subject: Re: FIPS 140-2 Validation Revoked
X-Mailer: Lotus Notes Release 7.0 HF144 February 01, 2006
Reply-To: openssl-dev at openssl.org

I wish to make it very clear that in this message I am speaking solely as 
an individual, and do not represent my employer or its views in any way at 
all.

> We don't know the full story behind this yet, and perhaps never will. As
> John Weathersby noted in the article, "This is not about technology".

This is baloney.

The "boundary" around the formerly-validated code was completely wrong -- 
a simple analysis showed that code within the "FIPS container" called code 
outside the container. A sample program showed how this led to trivial 
breaks in security. I have seen a document that had this analysis, and 
included a sample program that printed all private keys to the screen and 
when asked for random numbers always returned the same value. I know this 
document was given to the module authors and the validation lab. The 
authors ignored this and also convinced the validation lab to ignore it. 
The lab (I'm really glad they're not a subsidiary of my employer any more) 
trusted the vendor; had they performed the most basic due diligence -- 
compile the program! -- they would have seen that the code should not have 
passed.  Hell, 'nm fipscanister.o | fgrep U' would have shown it!

There were other problems as well. For example, the DES/3DES self-test did 
not test encryption. Even worse, the implementation tested isn't the one 
used by the public API's. (OpenSSL includes multiple DES/3DES 
implementations.)

Open source is not magic pixie dust that allows you to ignore basic 
reality. The certified code had serious flaws that were known to the 
parties involved in certification, yet they went ahead anyway. CMVP did 
the right thing.  Can you imagine the damage that could have been done if 
either critical systems were built using that code, or if a true enemy of 
the open source movement published the sample code after it had widespread 
use?

It greatly saddens me to say this, but unless there are significant 
changes in the process and/or participants, I will continue to advise 
anyone who wants to rely on a FIPS-ccertified OpenSSL that it is not safe 
to do so.
        /r$

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev at openssl.org
Automated List Manager                           majordomo at openssl.org

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060719/79907ea4/attachment.pgp>

More information about the cryptography mailing list