Call for testing: OpenSSH-5.7
Steve Marquess
marquess at opensslfoundation.com
Fri Jan 21 23:47:20 EST 2011
Damien Miller wrote:
> On Thu, 20 Jan 2011, Steve Marquess wrote:
>
>
>> Well, use of CTR is arguably legal but IMHO questionable. AES-CTR is not
>> included in the #1051 validation (see
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#695), and there
>> is no compelling reason to use it (with or without FIPS 140-2).
>>
>
> Actually, http://www.openssh.com/txt/cbc.adv
>
> Removing CTR and RC4 leaves only vulnerable CBC mode ciphers.
>
Good point. The standard FIPS-centric response to this situation is to
do what policy requires. It's a sad fact that, all other things being
equal, FIPS 140-2 validated crypto implementations are less secure (in
the real-world sense of resistance to evil attack) than non-validated
equivalents. When you spend too much time working in that arena it's
easy to forget that's not a good thing.
The long term solution is to include CTR mode in the currently ongoing
validation, which we plan to do. In any event we have to be sure not to
just make up an EVP_CIPHER because that results in using the low-level
APIs which don't utilize the the approved interface for the FIPS
module. Instead we would want to build up a CTR mode in terms of EVP
ECB mode.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marquess at opensslfoundation.com
More information about the openssh-unix-dev
mailing list