[openssl-users] Verifying the sha1 of fipscanister.o with what is embedded in libcrypto.so

Steve Marquess marquess at openssl.com
Wed Mar 16 11:39:01 UTC 2016


On 03/15/2016 08:38 PM, Satya Das wrote:
> Steve,
> 
> How does one get a hold of the embedded signature in libcrypto.so ? 

I assume you're referring to the known-good FIPS 140-2 integrity check
digest that is used for the runtime integrity check in the POST.

Several people have already tried to explain that finding that digest
DOES NOT repeat NOT prove that the application runtime binary is using a
FIPS 140-2 validated module. The digest was inserted when the
application was (correctly) linked to the FIPS module, and I've already
told you a way it could be located, but having such a tool gains you
nothing.

The magical pixie dust that distinguishes a validated module from a
bit-for-bit identical non-validated module is undetectable by any kind
of software, thus it is impossible -- even blue-sky theoretically -- to
develop a technical tool or utility of any kind that will suffice as
proof a product is using a validated cryptographic module. It is even
less possible than the "secure backdoor" in FBI/DoJ fantasies.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc


More information about the openssl-users mailing list