Flaws in OpenSSL FIPS Object Module

Ralf-Philipp Weinmann weinmann at cdc.informatik.tu-darmstadt.de
Wed Dec 5 06:43:21 EST 2007

On Dec 3, 2007, at 16:51 , Paul Hoffman wrote:

> At 9:58 AM -0500 12/3/07, Perry E. Metzger wrote:
>> I don't know if people have been following this, but it is  
>> interesting
>> from the point of view of studying how the FIPS process does (or does
>> not) interact with the underlying goal of producing assured systems.
> Another interesting part is that open-source systems are much more  
> susceptible to being attacked by competitors (that is, having their  
> validation suspended) than are closed-source systems.

Hi Paul,

this may have been true in the past. Enter tools like BinDiff [1] and  
BinNavi [2] and a skilled reverse engineer is able to shoot down  
you're closed-source implementation almost as quickly as one for which  
she has source (assuming she has binaries, of course).


[1] Zynamics BinNavi

[2] Zynamics BinDiff

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1846 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20071205/765e36e9/attachment.bin>

More information about the cryptography mailing list