OpenSSH use of OpenSSL in FIPS Mode

[Jefferson Ogata]

On 2007-03-06 22:58, Joshua Hill wrote:
> The central matter that is left unresolved here is this: Is it
> acceptable to build larger scale FIPS relevant security protocols
> using the primitives provided by the validated sub-module, _not_ seek
> an additional validation on this larger scale security functionality,
> and then sell your IT device into the US Federal setting?
> 
> I'm fairly certain that the answer here is "no", but it would be
> interesting to see what CMVP might say on the matter.

There you're getting into the fundamental issue of how the entire
concept of FIPS 140-2 validation is broken by design.

What counts as larger-scale security functionality? Is the
pseudo-terminal driver included, since the data passes through it on the
way to openssh? What about the VFS code that is used to page the openssl
shared libraries in? What about the kernel page fault handler? Then
there's the rest of the kernel--someone could have trojaned it to
surreptitiously pull all data out of openssl buffers before encryption
and transmit it to a third party. Or syslogd could be trojaned. And so
on, ad infinitum.

You have to draw the line somewhere on where the boundary on validation
is going to lie. And no matter where you draw it, there will be ways to
subvert the behavior of the validated code. If you follow the line of
reasoning that the code "outside" the cryptographic module has to be
validated also, the ultimate conclusion is that you have to validate the
universe. That would be time-consuming, and certainly exceed NIST's
resources.

Not offering any answers here, only questions. Sorry.

-- 
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service