Advisories Archives | SafeLogic

All posts in Advisories

24 Aug 2016

How does the SWEET32 Issue (CVE-2016-2183) affect SafeLogic’s FIPS Modules?

Executive Summary:

SWEET32 issueA newly demonstrated attack, SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN, shows that a network attacker monitoring an HTTPS session secured by Triple-DES can recover sensitive information. The attack was performed in a lab setting in less than two days by capturing 785 GB of traffic over a single HTTPS connection.

Sounds scary at first.

The good news: No action is required by SafeLogic customers for the SWEET32 issue.

 

My FIPS 140-2 Module is not Broken?

Correct. Triple-DES [1] is a FIPS Approved algorithm and Triple-DES is expected to remain a FIPS Approved algorithm for the foreseeable future. Triple-DES uses 64-bit block sizes which makes it vulnerable to this attack. Cryptographers have long been aware of this type of vulnerability in ciphers designed with small block sizes.

The AES symmetric cipher (also a FIPS Approved algorithm) is not vulnerable to this attack.

[1] Two-key Triple-DES may only be used for decryption purposes in the FIPS mode of operation. Three-key Triple-DES may be used for encryption and decryption purposes in the FIPS mode of operation.

What Might NIST Do?

Since a considerable amount of ciphertext needs to be captured to make this attack possible, this is a low security concern for nearly every use of TLS. We anticipate that CMVP (NIST/CSE) may publish future guidance limiting the amount of plaintext that is encrypted using a single Triple-DES key, but we do not expect the CMVP to remove Triple-DES from the list of FIPS Approved algorithms due to this reported attack.

 

Should I Turn Off Triple-DES to be Safe?

That depends on your company’s security policy for addressing vulnerabilities. The SWEET32 issue does not make Triple-DES itself any less secure than it was yesterday and the method of attack is not new. You may need to continue supporting Triple-DES in order to allow TLS connections that are not able to negotiate use of the AES cipher. (Note that good security practices always negotiate AES at a higher priority than Triple-DES). In short, there is no need to turn off the use of Triple-DES in your application.

 

What If I Still Have Questions?

Please contact me. I am happy to be a resource to you.

BlogFooter_Mark

17 Jun 2016

Format-Preserving Encryption (FPE) in ‘FIPS Approved’ Mode

Vertical_Lock_ShortThe FIPS 140-2 Implementation Guidance (A.10) now includes vendor affirmation requirements for the format-preserving encryption schemes (FF1, FF3) specified in SP 800-38G.

As its name suggests, format-preserving encryption transforms plaintext to ciphertext of the same format and length. For example, format-preserving encryption may be used for a legacy application that needs to protect 16-digit credit card numbers and 9-digit social security numbers in a database without having to change their storage allocations. FPE has saved a lot of headaches in these use cases, as you can imagine.

For ‘FIPS Approved’ operation, until Cryptographic Algorithm Validation Program (CAVP) testing becomes available specifically for FPE, vendors will need to complete CAVP testing for the underlying AES algorithm, make documentation updates, and affirm compliance to SP 800-38G. Alternatively, SafeLogic can help you strategize and complete this process as easily as possible.

If you have a customer requirement to provide format-preserving encryption with FIPS 140-2 validation, then please contact us today.

BlogFooter_Mark

14 Jan 2016

The Transition Is Here: RNGs Disallowed in 2016

Question: I’m hearing rumors that my FIPS 140-2 cryptographic module will be moved to NIST’s Legacy Validation List on January 31, 2016.  Is this true?

Answer: The rumors are true for many organizations, unfortunately. If your cryptographic module contains any of the RNGs in FIPS 186-2, ANS X9.31, or ANS X.9.62-1998 on the “FIPS Approved algorithm” list, your certificate will be re-classified and moved to the Legacy Validation List unless it is reaffirmed otherwise.  In addition, certificates that have not been updated since 2011 or prior will be relegated to the Legacy List next year, as part of a five year rolling expiration.  More on that soon.

The bad news: Federal agencies have been instructed to strictly avoid products that have been moved to this Legacy Validation List. We know that DISA has already contacted technology vendors that are in danger of having their certificates moved to the Legacy Validation List. This is a demonstration of DISA’s attention to this issue – they plan to be extremely proactive and solutions that fall out of compliance will not be able to slide under the radar.  Every vendor with an RNG included on their FIPS certificate should immediately take action to keep their modules available for procurement.

NIST Special Publication 800-131A has been warning that these RNGs will be “disallowed” in 2016. The SP800-131A publication contains guidance for the use of stronger cryptographic keys and more robust algorithms. Concerns of increasing computing power and possible new attacks, the older RNGs have been dropped by the NIST Cryptographic Technology Group in favor of the newer SP800-90A DRBG algorithms: HASH_DRBG, HMAC_DRBG and CTR_DRBG. Since randomness in generating keying material is essential to strong cryptography, this is a proactive step by NIST to evolve to stronger security solutions for federal agencies.

The good news: SafeLogic customers will not be affected. Our clients will remain on NIST’s Active Validation Lists. Federal agencies will still be allowed to acquire products that are using SafeLogic’s cryptographic modules when enforcement begins on January 31, 2016, due to our strong support team and aggressive updates to ensure compliance.  SafeLogic’s dedication to certificate maintenance has saved our customers significant time, effort and heartache.  With NIST’s renewed commitment to keeping the validation list current, maintenance is more crucial than ever before.  Neglecting your certificate can quickly render obsolete the product of years of work and significant investment – and that’s never a good thing.

Whether you have questions about the RNG transition, want more information on SafeLogic’s drop-in FIPS solutions, or your current validation is being re-classified to the archive list, please contact us. SafeLogic can help!

Now that you know SafeLogic can take care of your FIPS cert, here’s some RNG humor to help dissipate that stress:

Classic Dilbert from 2001.

Classic Dilbert from 2001.

BlogFooter_Mark

15 Oct 2014

Putting a Muzzle on POODLE

SafeLogic is not vulnerable to POODLEYou may have seen the news about POODLE recently.  The good news is that it’s not as severe as Heartbleed, which affected server-side SSL implementations and had repercussions across most web traffic. The bad news is that it’s still seriously nasty.

POODLE is an acronym for Padding Oracle On Downgraded Legacy Encryption and essentially allows an attacker to decrypt SSL v3.0 browser sessions. This man-in-the-middle attack has one major constraint: the attacker has to be on the same wireless network.

That renders POODLE irrelevant because everyone locks down their wireless networks, right? Oh yeah, except those customer-friendly coffee shops with public wifi. In places like Palo Alto, you can bet there is a *lot* of interesting information going over the air there. Or at conferences, where diligent employees handle pressing business and aggressive stock traders log in to their account to buy the stock of the keynote speaker (or short it if his presentation lacks luster).  The threat is real – session hijacking and identity theft are just the tip of the iceberg.

It’s worth noting that this is a protocol-specific vulnerability and not tied to vendor implementation (such as Heartbleed with OpenSSL and the default Dual_EC_DRBG fiasco with RSA). That makes it a mixed bag. The issue affects a wide variety of browsers and servers (Twitter, for example, scrambled to disable SSLv3 altogether), but users do have some control.  This is because SSLv3 can also be disabled in the client within some browser configurations, so check your current settings for vulnerability at PoodleTest.com and install any patches when available for your browser.

Some browser vendors have already made moves to patch against this threat and permanently disable SSLv3.  Meanwhile, others have dubbed server-side vulnerability “Poodlebleed” and offer a diagnostic tool to assess connectivity.

From a government and compliance perspective, Federal agencies should be using TLS 1.1 according to Special Publication 800-52 Rev 1. TLS 1.1 is not susceptible to POODLE. FIPS 140 validations and SafeLogic customers are not affected.

If you’re interested in a deep dive, I recommend this fantastic technical post by Daniel Franke, which also provides a great history of SSL and its challenges.

BlogFooter_Ray

8 Apr 2014

SafeLogic Responds to Heartbleed

We just issued an advisory notice for customers regarding the recent Heartbleed vulnerability in OpenSSL.

The issue doesn’t reside within our CryptoComply module; it’s in the higher level OpenSSL libraries that (can) call into our CryptoComply module. This means there is no FIPS impact to our customers… however, there is a security impact.

Folks, this is serious stuff. Key material is subject to being disclosed to attackers. Even if you’re using another crypto module with your vulnerable OpenSSL implementation, patch it immediately. But just patching it isn’t enough. Consider this the right time to update your keys and certificates. You should assume that an attacker knows them by now. 

I have to say that I’m very proud of the SafeLogic team here. We responded and had new builds commencing within a few hours of the notice. We provide upstream OSSL stack as a value to our customers, and it’s important to all of us that they run securely. Builds run through smoke testing and functional testing to ensure proper operation for FIPS, and builds are available on our support portal.

We’ll continue to stay on top of this. We’re not only looking to help our customers… we want to help protect the industry at large. This is that big of an issue. Security awareness becomes key, so let’s keep this at top of mind.

BlogFooter_Ray