Thoughts about FIPS Support in Indy

Hi,

I recently had a talk with JP Mugaas about whether we should include FIPS support of OpenSSL in Indy and to what extend this will be useful for our users (especially those in the United States).

We agreed that many users would benefit from the possibility to write FIPS compliant applications. However as you know providing support for it can only be part of your certification process. On the other hand: Even if you or your company don’t decide to get a certification on your own it would be still an advantage to be able to write at least FIPS compliant applications.

What do you think about? Would that be of interest to you?

Feel free to add your comments about. Currently we are only planning…

Regards,
Arvid

Advertisements

8 thoughts on “Thoughts about FIPS Support in Indy

  1. FIPS would be nice, but it is more important for me to be able to use crypto without calling DLL functions with password, etc. as parameter.

    Why? Because any monkey can intercept a DLL function call to OpenSSL and break security without any assembly language skills or time-consuming crypto analysis.

    In addition to secure communication with other computers, we use crypto for software activation, license key management, etc. on computers where we do not trust the users (which is why we have software activation).

    I’m not saying putting crypto functions inside the exe will prevent all hacking. I’m just saying that using an external crypto DLL will make automated attacks easy. And having a FIPS-approved DLL will certainly make it worthwhile to automate attacks against it.

    Compile OpenSSL using C++Builder 2010 + NASM. Then figure out a way to make it easy for Delphi projects to static link to it. I will be your 1st customer. I need AES-CTR and RSA and SHA-256. PBKDF2 and secure PRNG would be nice, too. 🙂

    • Hi Rich,

      I know that some prefer static linking (including myself). It is currently not implemented due to the fact the Indy does not only support Windows OSs – and in some Operating Systems the OpenSSL libraries are part of the system itself. Regarding static linking and FIPS: it is not that easy, compiling the FIPS branch for static linking (and using C++ Builder at all) is not a one-step procedure 😉

      I’ll consider it.

      Cheers,
      Arvid

  2. Same as Rich. It is important for us to have a single exe file.
    Also, a high-performance hash/crypt engine will be a very nice thing. It seems that the most appropriate is Skein. See http://en.wikipedia.org/wiki/Skein_Hash_Function for reference,

    …and here for an implementation both for hash and for stream cipher: http://code.google.com/p/skeinfish/ (beware, the current version is 1.2)

    It seems that (perhaps?) a better alternative would be BMW (http://ehash.iaik.tugraz.at/wiki/Blue_Midnight_Wish) – according to http://www.skein-hash.info/sha3-engineering but the info about BMW is a little bit fuzzy AFAIS.

    • Hi,

      I agree that the Skein hashing looks very promising, regarding Blue Midnight Wish I would like to wait for further research about (especially when having read about the near-collision attack, see http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf).

      But: We are talking about implementing FIPS by using what OpenSSL already has. I am sure the OpenSSL team will go ahead and implement the NIST finalist at some stage, so it will be available in Indy too.

      By the way: Regarding fast hashing and ciphers in Delphi be sure to have a look at my co-edited Delphi Encryption Compendium for Delphi & C++ Builder (hosted here http://www.michael-puff.de/Developer/Delphi/Importe/Hagen_Reddmann/). Currently it will not receive any new hashes and ciphers but probably worth a look too.

      Cheers, Arvid

  3. FIPS is short for Federal Information Processing Standard and is authored by the National Institute of Standards and Technology (NIST). FIPS 140-2 is titled “Security Requirements for Cryptographic Module”. There is also a FIPS 180-3 titled “Secure Hash Standard” that succeeds FIPS 140-2. This is a legal requirement for government agencies and contractors in the U.S. and Canada. Government contractors can include a wide variety of businesses and even if an institution is not required to use FIPS-140 complaint software, they may choose to do so for their own reasons.

    Basically, they require that information be processed with tamper-resistant modules that uses strong NIST-approved cryptographic algorithms. OpenSSL does have a FIPS certificate and a FIPS .DLL can be created with Visual Studio and some specific compiler directives. The thing is that you have to use the developer’s process unless you intend to obtain a certificate for your own build process and any alterations you make. The OpenSSL developers have documents about their FIPS support at http://www.openssl.org/docs/fips/. You should also read http://openssl.org/docs/fips/fipsnotes.html .

    From a programming point of view, we will have OpenSSL for all of Indy’s hashing if you are using a FIPS mode. FIPS will only an option as some people still have to use old compromised algorithms such as MD2, MD4, and MD5.

    Anyway, I hate to toot my horn about this stuff but I want to provide a balanced discussion of this.

  4. @J. Peter Mugaas

    Hi Buddy 😉

    Thank you for helping out with the very good explanation of what FIPS actually is. I forgot to put a link for those not being aware of (esp. users outside the US will likely not know anything about).

    I know you like taking a back seat – but there’s no need to, it has been your idea and suggestion!

    Cheers,
    Arvid

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s