Flaws in OpenSSL FIPS Object Module

Ed Gerck edgerck at nma.com
Fri Dec 7 13:15:50 EST 2007

Peter Gutmann wrote:
>  While it's possible to say "There's something we noticed
> here in the source code that requires the software to be ejected from the
> train", it's a bit harder to say "We spent three months reverse-engineering
> someone else's proprietary protected intellectual property and think we may
> have found something".

Peter cites an important difference. You may be able to see but you can't tell.

However, one can still easily reverse-engineer to find the vulnerability
and then present an exploit saying "There's something we noticed here when
the code is executed with this input...".

The conclusion holds that closed-source is now less of a reasonable argument
in terms of /protecting/ source code.

Software-as-a-Service (SaaS), though, would still work in terms of
protecting source code, though, as all you have is a "service oracle" that
does not necessarily reveal code details or flaws. SaaS could be supplied
remotely or locally, with a secure processor card or secure USB-processor.

Ed Gerck

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list