Flaws in OpenSSL FIPS Object Module
Vin McLellan
vin at theworld.com
Mon Dec 10 11:27:10 EST 2007
What does it say about the integrity of the FIPS program, and its
CMTL evaluation process, when it is left to competitors to point out
non-compliance of evaluated products -- proprietary or open source --
to basic architectural requirements of the standard?
_Vin
==============================
At 01:15 PM 12/7/2007, Ed Gerck wrote
Peter Gutmann wrote:
>>While it's possible to say "There's something we noticed here in
>>the source code that requires the software to be ejected from the
>>train", it's a bit harder to say "We spent three months
>>reverse-engineering someone else's proprietary protected
>>intellectual property and think we may have found something".
>
>Peter cites an important difference. You may be able to see but you
>can't tell.
>
>However, one can still easily reverse-engineer to find the
>vulnerability and then present an exploit saying "There's something
>we noticed here when the code is executed with this input...".
>
>The conclusion holds that closed-source is now less of a reasonable
>argument in terms of /protecting/ source code.
>
>Software-as-a-Service (SaaS), though, would still work in terms of
>protecting source code, though, as all you have is a "service
>oracle" that does not necessarily reveal code details or flaws. SaaS
>could be supplied remotely or locally, with a secure processor card
>or secure USB-processor.
>
>Cheers,
>Ed Gerck
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list