[DNG] Crypto libraries security

Tue, 27 Mar 2018 05:57:46 -0700

In 2017, the Federal Office for Information Security (BSI) had various crypto libraries examined as part of a project.
Three software projects were shortlisted and subjected to more in-depth analysis: the LibreSSL developed by OpenBSD, the NSS developed by Mozilla, and the library Botan. 


The development of Botan was subsequently financially supported by the 
BSI, found deficiencies were corrected and improved the test suite. The 
results of this development have been incorporated into Botan and have 
been published with version 2.0.1. In the meantime, some documents have 
also been published in a Github repository by Rohde & Schwarz 
(https://github.com/Rohde-Schwarz-Cybersecurity/botan/tree/master/doc/bsi). 
What was not published: the original detailed study, and in particular 
the results it contained in relation to the other crypto libraries.



Golem.de has asked the developers of the two libraries LibreSSL and 
Mozilla's NSS, which were examined, but ultimately not selected for the 
project: The developers of LibreSSL knew nothing of the project, the 
request to Mozilla remained unanswered.



They have read the document. Information about spectacular security 
holes can not be found in it. Nevertheless, it could be helpful for the 
developers of the respective libraries, because in many places are very 
concrete suggestions on how the code could be improved, including an 
estimate of how much effort that would be. For example, there are 
references to compiler warnings and an assessment of their severity, as 
well as a list of errors in the state machines of the TLS handshake 
implementation and hints on where the code should be better protected 
against timing attacks.



In the case of Botan, these recommendations were implemented, but for 
the other libraries studied, it would certainly make sense to make the 
results at least available to the developers.



But even if the BSI does not want to have published the comparison of 
crypto libraries: Anyone who wants to read it, can even make a request 
for the Freedom of Information Act, for example via the portal 
Fragdenstaat.de 
(https://fragdenstaat.de/anfrage/sicherheitsaudits-des-projekts-sichere-implementierung-einer-allgemeinen-kryptobibliothek/) 
or informally by writing to the BSI. You do not have to justify such a 
request.


Jochen
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng














    











					Reply via email to