Flaws in OpenSSL FIPS Object Module

Victor Duchovni Victor.Duchovni at MorganStanley.com
Tue Dec 11 13:44:44 EST 2007

On Mon, Dec 10, 2007 at 04:17:38PM -0500, Leichter, Jerry wrote:

> It is, of course, the height of irony that the bug was introduced in the
> very process, and for the very purpose, of attaining FIPS compliance!

But also to be expected, because the feature in question is "unnatural":
the software needs a testable PRNG to pass the compliance tests, and
this means adding code to the PRNG to make it more predictable under
test conditions.

As the tests only test the predictable PRNG, it is easy to not notice
failure to properly re-seed the non-test PRNG. One can't easily test
failure to operate correctly under non-test conditions. And the additional
complexity of the test harness makes such failure more likely.

The interaction of the test harness with the software under study needs
close scrutiny (thorough and likely multiple independent code reviews).

Similar bugs are just as likely in closed-source software and are less
likely to be discovered.


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list