|Main Archive Page > Month Archives > openssh-unix-dev archives|
Damien Miller wrote:
> On Thu, 20 Jan 2011, Steve Marquess wrote:
>> Well, use of CTR is arguably legal but IMHO questionable. AES-CTR is not
>> included in the #1051 validation (see
>> http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#695), and there
>> is no compelling reason to use it (with or without FIPS 140-2).
> Actually, http://www.openssh.com/txt/cbc.adv
> Removing CTR and RC4 leaves only vulnerable CBC mode ciphers.
Good point. The standard FIPS-centric response to this situation is to
do what policy requires. It's a sad fact that, all other things being
equal, FIPS 140-2 validated crypto implementations are less secure (in
the real-world sense of resistance to evil attack) than non-validated
equivalents. When you spend too much time working in that arena it's
easy to forget that's not a good thing.
The long term solution is to include CTR mode in the currently ongoing
validation, which we plan to do. In any event we have to be sure not to
just make up an EVP_CIPHER because that results in using the low-level
APIs which don't utilize the the approved interface for the FIPS
module. Instead we would want to build up a CTR mode in terms of EVP
-- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 email@example.com _______________________________________________ openssh-unix-dev mailing list firstname.lastname@example.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev