Hi Buddy

Thank you for helping out with the very good explanation of what FIPS actually is. I forgot to put a link for those not being aware of (esp. users outside the US will likely not know anything about).

I know you like taking a back seat – but there’s no need to, it has been your idea and suggestion!

Cheers,
Arvid

I agree that the Skein hashing looks very promising, regarding Blue Midnight Wish I would like to wait for further research about (especially when having read about the near-collision attack, see http://www2.mat.dtu.dk/people/S.Thomsen/bmw/nc-compress.pdf).

But: We are talking about implementing FIPS by using what OpenSSL already has. I am sure the OpenSSL team will go ahead and implement the NIST finalist at some stage, so it will be available in Indy too.

By the way: Regarding fast hashing and ciphers in Delphi be sure to have a look at my co-edited Delphi Encryption Compendium for Delphi & C++ Builder (hosted here http://www.michael-puff.de/Developer/Delphi/Importe/Hagen_Reddmann/). Currently it will not receive any new hashes and ciphers but probably worth a look too.

Cheers, Arvid

I know that some prefer static linking (including myself). It is currently not implemented due to the fact the Indy does not only support Windows OSs – and in some Operating Systems the OpenSSL libraries are part of the system itself. Regarding static linking and FIPS: it is not that easy, compiling the FIPS branch for static linking (and using C++ Builder at all) is not a one-step procedure

I’ll consider it.

Cheers,
Arvid

please see JP’s answer below, it contains a good explanation of what FIPS is.

Cheers,
Arvid

Basically, they require that information be processed with tamper-resistant modules that uses strong NIST-approved cryptographic algorithms. OpenSSL does have a FIPS certificate and a FIPS .DLL can be created with Visual Studio and some specific compiler directives. The thing is that you have to use the developer’s process unless you intend to obtain a certificate for your own build process and any alterations you make. The OpenSSL developers have documents about their FIPS support at http://www.openssl.org/docs/fips/. You should also read http://openssl.org/docs/fips/fipsnotes.html .

From a programming point of view, we will have OpenSSL for all of Indy’s hashing if you are using a FIPS mode. FIPS will only an option as some people still have to use old compromised algorithms such as MD2, MD4, and MD5.

Anyway, I hate to toot my horn about this stuff but I want to provide a balanced discussion of this.

…and here for an implementation both for hash and for stream cipher: http://code.google.com/p/skeinfish/ (beware, the current version is 1.2)

It seems that (perhaps?) a better alternative would be BMW (http://ehash.iaik.tugraz.at/wiki/Blue_Midnight_Wish) – according to http://www.skein-hash.info/sha3-engineering but the info about BMW is a little bit fuzzy AFAIS.

Why? Because any monkey can intercept a DLL function call to OpenSSL and break security without any assembly language skills or time-consuming crypto analysis.

In addition to secure communication with other computers, we use crypto for software activation, license key management, etc. on computers where we do not trust the users (which is why we have software activation).

I’m not saying putting crypto functions inside the exe will prevent all hacking. I’m just saying that using an external crypto DLL will make automated attacks easy. And having a FIPS-approved DLL will certainly make it worthwhile to automate attacks against it.

Compile OpenSSL using C++Builder 2010 + NASM. Then figure out a way to make it easy for Delphi projects to static link to it. I will be your 1st customer. I need AES-CTR and RSA and SHA-256. PBKDF2 and secure PRNG would be nice, too.