[Cryptography] "Is FIPS 140-2 Actively harmful to software?"

Theodore Ts'o tytso at mit.edu
Mon Jun 23 22:40:15 EDT 2014


On Mon, Jun 23, 2014 at 07:44:44PM -0400, John Kelsey wrote:
> 
> That audit is only meaningful until the developers start changing
> the code.  A code audit of the current version of the library
> doesn't give anyone much assurance (or shouldn't) about later
> versions of the library.  If you want the assurance of the audit,
> you can't change the code!  I don't really see any way around that.
> (Go ask current users of Skype about that.)

So if the audit is **perfect** then it doesn't matter.  The library
with the "goto fail" bug also passed the audit (just as the Taiwan
Personal Certificate hardware token had passed the FIPS certification
audit), and then the problem is the "don't even touch a line of this
code, not even a comment", pretty much guarantees that no developer
will look at the code after it has been audited, lest they result in
the company getting charged hundreds of thousands of dollars.

Of course, this doesn't stop the bad guys from looking at the code,
and finding entertaining problems like the "goto fail" bug.

So the question is does the audit actually do enough good that it's
worth freezing all further development activity on the library?  It's
true that further development could introduce bugs ---- but code clean
ups can actually find and fix problems, too.

There are no easy answers here, agreed.  But one would think that if
you've paid hundreds of thousands of dollars, and the code gets a
"pass", you should have some assurance that the code doesn't have
horrendous bugs in it.  If not, is it worth paying that money and
freezing any cleanup activity?  (Other than so you can sell into the
US Government market, that is....)

> The ideal situation w.r.t. a software validation would include a
> digital signature on the source code, right?  And then any change to
> the source code, or the part covered by the signature/audit, would
> automatically invalidate it.  You could imagine some ways to make
> extending the validation to include some changes more economical,

Well, the ideal situation is that the software validation would cover
a specific git commit.  That way futher validations could look at the
code changes since that particular git commit, instead of starting
from scratch.  And ideally, if the FIPS labs are going to charge
hundreds of thousands of dollars, they should be willing to pay a
bounty of say, $50,000 per security bug that they didn't catch, with a
trusted third party validating whether a security bug report was valid
or not.  And of course, they shouldn't charge to validate the fix.

And maybe the certification should be paid for by the insurance
company, with the companies paying insurance to cover the economic
damages for any missed security vulnerability.

But as it stands, the FIPS labs are basically a tax on companies that
want to sell to the US government, and presumably that means the
prices for selling into the US government market are jacked up
accordingly.  Which means the economic incentives are all broken, and
the people who end up getting fleeced are the US Taxpayers....

    	       	      	      	      	  - Ted


More information about the cryptography mailing list