Re: [saag] Algorithms/modes requested by users/customers
Ben Laurie <ben@links.org> Thu, 06 March 2008 09:43 UTC
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m269hfQ4010831 for <saag@PCH.mit.edu>; Thu, 6 Mar 2008 04:43:41 -0500
Received: from mit.edu (M24-004-BARRACUDA-2.MIT.EDU [18.7.7.112]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m269hTKh019524 for <saag@mit.edu>; Thu, 6 Mar 2008 04:43:29 -0500 (EST)
Received: from mail.links.org (mail.links.org [217.155.92.109]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mit.edu (Spam Firewall) with ESMTP id 7BC2BFDF416 for <saag@mit.edu>; Thu, 6 Mar 2008 04:43:05 -0500 (EST)
Received: from [193.133.15.218] (localhost [127.0.0.1]) by mail.links.org (Postfix) with ESMTP id C480233C1C; Thu, 6 Mar 2008 09:42:42 +0000 (GMT)
Message-ID: <47CFBC99.3000608@links.org>
Date: Thu, 06 Mar 2008 09:42:49 +0000
From: Ben Laurie <ben@links.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.4.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1JRnFf-0008Uw-1D@wintermute01.cs.auckland.ac.nz>
In-Reply-To: <E1JRnFf-0008Uw-1D@wintermute01.cs.auckland.ac.nz>
X-Enigmail-Version: 0.95.6
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.12
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
Cc: saag@mit.edu, rja@extremenetworks.com, mcgrew@cisco.com
Subject: Re: [saag] Algorithms/modes requested by users/customers
X-BeenThere: saag@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: IETF Security Area Advisory Group <saag.mit.edu>
List-Unsubscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/saag>
List-Post: <mailto:saag@mit.edu>
List-Help: <mailto:saag-request@mit.edu?subject=help>
List-Subscribe: <http://mailman.mit.edu/mailman/listinfo/saag>, <mailto:saag-request@mit.edu?subject=subscribe>
X-List-Received-Date: Thu, 06 Mar 2008 09:43:45 -0000
Peter Gutmann wrote: > mcgrew <mcgrew@cisco.com> writes: > >> Winston Churchill said that democracy is the worst form of government, except >> for all of the others. I think that the same is true for the FIPS-140 >> cryptomodule validation process ;-) > > I think it's more a case of the Politician's Fallacy: > > 1. Something must be done. > 2. This is something. > 3. This must be done. > > It'd be interesting to see a study of the effectiveness in terms of finding > security and interop problems of: > > A. A FIPS 140 eval. > > B. Running the code through Fortify/Coverity/whatever and completing a crypto > exchange with a peer (TLS, S/MIME, PGP, whatever the underlying crypto is > that's being used). > > in particular in terms of return for effort-involved. Having done both of these, I can give you an impromptu answer, and also comment on some other themes I've seen on this thread. The background here is I did most of the initial work for the FIPS-140 eval of OpenSSL. I also have access to Coverity runs over OpenSSL. There's no doubt that Coverity gives far more return on effort. It actually found problems. FIPS-140 did not (though it did create some, see below). Coverity took only a few days of investment. FIPS-140 took months (and years of elapsed time). Other themes... Silly modes: FIPS-140 doesn't introduce silly modes that are available to client s/w, but it does introduce some really quite complex silliness for the tests, involving repeated encryption of a block, extracting some of the output and using it to create new keys and data for more repeated encryptions. Getting those right was really very painful - and, as far as I can see, no more useful than standard test vectors. Fixed input to PRNGs: someone observed that this is worrisome from a security point of view. The fact that OpenSSL got certified and yet had a huge security hole because it accidentally left the PRNG seeded from the self-test supports this concern (http://openssl.org/news/secadv_20071129.txt). Weak PRNGs: no-one mentioned this, I don't think, but one of the things that bugged me most was having to replace OpenSSL's PRNG with a much weaker one, as required by FIPS-140. Enforced security holes: again, not mentioned, but one of the problems with PRNGs under Unix is that after a fork, both copies will produce the same randomness. OpenSSL protects against this by detecting a fork and mixing in different stuff in the two processes. I replicated this behaviour for FIPS-140 and was forced to remove it. The result is that if you use FIPS-140 mode and you fork, if you don't reseed the PRNG yourself, you have made a big mistake. Cost: Peter Gutmann points out that the total cost of an eval vastly exceeds the cost of the testing lab. He's right. There's a huge amount of paperwork and pointless code to write. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.links.org/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
- [saag] Algorithms/modes requested by users/custom… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… Jack Lloyd
- Re: [saag] Algorithms/modes requested by users/cu… Paul Hoffman
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Steven M. Bellovin
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Randall Atkinson
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Jon Callas
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… mcgrew
- Re: [saag] Algorithms/modes requested by users/cu… Vishwas Manral
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Stephen Kent
- Re: [saag] Algorithms/modes requested by users/cu… Peter Gutmann
- Re: [saag] Algorithms/modes requested by users/cu… Ben Laurie
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani
- Re: [saag] Algorithms/modes requested by users/cu… Santosh Chokhani