[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Who's using broken proprietary crypto?

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Who's using broken proprietary crypto?
From: bad apple <mr.meowski@xxxxxxxx>
Date: Sun, 22 Sep 2013 18:38:31 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/09/13 19:07, Martijn Grooten wrote:
> On Sun, 22 Sep 2013, Philip Hudson wrote:
>> http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html
> 
> 342: OpenSSL FIPS Object Module.
> 
> Oops.
> 
> Martijn.
> 
> 

Which luckily nobody outside the US uses, and nobody inside the US who
hasn't been leant on in someway does either.

- From http://opensslfoundation.com/fips/:

"The OpenSSL FIPS Object Module ("FIPS module") is a special software
product designed to meet the requirements for FIPS 140-2 validation by
the CMVP. There requirements are unusual from a software engineering
perspective, and have very substantially affected the form and
function of the FIPS module.

The FIPS module was designed for use with the OpenSSL toolkit and
library in environments where use of FIPS 140-2 validated cryptography
is mandated. Note the FIPS module is not really not appropriate for
where such use is not mandated as it does not have any technical
virtues (security, performance, maintainability) with respect to the
equivalent stock OpenSSL distributions."

Pay special attention to the last sentence: they are basically saying
the FIPS 140-2 module is crap, they know it is crap, and everyone
should *nudge nudge wink wink* stay away from it unless they
absolutely have to use it for a mandated reason (i.e., engaging in
commercial relations with the US government).

But yes, that list is a pretty eye-watering chunk of failure.

Regards

mr meowski | bad apple | key:DA2B8CF3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJSPysWAAoJEFGW4ufaK4zzndMP/jEeo4E/LDehfbud2hnq174a
39/x0919ye1YusEyUR8+2BBfeSZgQQfhRR+uEun+EWjRbiWeO53c02i2NjC2Cq8z
QIumV5c5KXcHFlGMd4GPqknV7sg3PtSBI/e/NtitD1I0xwYEMqcco9S8t/M5nG45
nqj7m4A+wAjD+Lb2PBSG8/fvFV1xilg00ST/MlpM/VQlHo+cbMukX6CmgHHuzmxB
hnUcvFU0OCH1x6KgLExW8QG/s24d0dI9r2P0BC8amuteb+2xXlETpbqM489iXCpO
Lp2R5WZUV3p5ScpkKEKRaAeaQKIQkQMjAtzKDXhFGu51liPirqoEfznaPJ6o9mxR
5u5UlcvcYvB1NAtwG2wWMCanqMvK94YoKOJJAi7AN+quswR7Xhk+XqEGKEt1pnwY
c7U6NY7VTTe1GL3DZTpZw2x3pIfA6g1kQ8u58yeMMtKcBJduvu5amUX0yUUAvZXI
xRKJlujvx7asPB9U4N7P3cwm+vdsxgdXcgS7fY0cKkQ/UaSbdYye7ycORSR83u7Q
q2jG9gf1Fl281qbpvfjKNtiAN7Ia0NChXNJEXmW8FaRuVN8xCPb3PmyV973EQAWu
y9tceggIU4WRMNrmsnNVirfSgpZf+8kzofqn1b3HEnnyIFFB38cfFCz08GFvjAg3
GrWBnFEh3fZ6iQjL3KBj
=wxZg
-----END PGP SIGNATURE-----

Attachment: 0xDA2B8CF3.asc
Description: application/pgp-keys

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] Who's using broken proprietary crypto?
- From: Martijn Grooten

References:
- [LUG] Who's using broken proprietary crypto?
  - From: Philip Hudson
- Re: [LUG] Who's using broken proprietary crypto?
  - From: Martijn Grooten

Prev by Date: Re: [LUG] Who's using broken proprietary crypto?
Next by Date: Re: [LUG] Who's using broken proprietary crypto?
Previous by thread: Re: [LUG] Who's using broken proprietary crypto?
Next by thread: Re: [LUG] Who's using broken proprietary crypto?
Index(es):
- Date
- Thread