Flaws in OpenSSL FIPS Object Module

Vin McLellan vin at theworld.com
Mon Dec 10 11:27:10 EST 2007

What does it say about the integrity of the FIPS program, and its 
CMTL evaluation process, when it is left to competitors to point out 
non-compliance of evaluated products -- proprietary or open source -- 
to basic architectural requirements of the standard?



At 01:15 PM 12/7/2007, Ed Gerck wrote

Peter Gutmann wrote:
>>While it's possible to say "There's something we noticed here in 
>>the source code that requires the software to be ejected from the 
>>train", it's a bit harder to say "We spent three months 
>>reverse-engineering someone else's proprietary protected 
>>intellectual property and think we may have found something".
>Peter cites an important difference. You may be able to see but you 
>can't tell.
>However, one can still easily reverse-engineer to find the 
>vulnerability and then present an exploit saying "There's something 
>we noticed here when the code is executed with this input...".
>The conclusion holds that closed-source is now less of a reasonable 
>argument in terms of /protecting/ source code.
>Software-as-a-Service (SaaS), though, would still work in terms of 
>protecting source code, though, as all you have is a "service 
>oracle" that does not necessarily reveal code details or flaws. SaaS 
>could be supplied remotely or locally, with a secure processor card 
>or secure USB-processor.
>Ed Gerck
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list