[openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Rob C hyakuhei at gmail.com
Mon Nov 7 13:38:48 UTC 2016


Good question, I know issues around this have arisen before.

I think the main points have been covered well already, for my part I will
always lean toward the better supported or actively developed project.

I understand the desire to look for FIPS 140-2 compliance, however I'd
caution about this being the only deciding factor, it makes software
development messy as only specific implementations can be validated. If you
want to update code to make improvements etc you can need a whole
re-validation. I'm not saying that FIPS 140-2 doesn't have value but I know
of software projects that have used known-bad implementations that had
certification rather use an updated version with no issues - (like I said,
it gets messy).

The OpenSSL guys wrote a good article on FIPS validation, how they tackled
it and some of the impact etc [1]

-Rob

[1] https://www.openssl.org/docs/fipsnotes.html

On Sun, Nov 6, 2016 at 4:44 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2016-11-06 14:59:03 +0000 (+0000), Jeremy Stanley wrote:
> > On 2016-11-06 08:05:51 +0000 (+0000), Steven Dake (stdake) wrote:
> [...]
> > > An orthogonal question I have received from one of our community
> > > members (Pavo on irc) is whether pycrypto (or if we move to
> > > cryptography) provide FIPS-140-2 compliance.
> >
> > My understanding is that if you need, for example, a FIPS-compliant
> > AES implementation under the hood, then this is dependent more on
> > what backend libraries you're using... e.g.,
> > https://www.openssl.org/docs/fips.html
> > https://www.openssl.org/docs/fipsvalidation.html
>
> I should clarify, I was referring specifically to
> pyca/cryptography's OpenSSL backend. In contrast the pycrypto
> maintainers seem to have copied and forked a variety of algorithms
> (some of which seem to be based NIST/FIPS reference implementations
> for C or backports from bits of Py3K stdlib but have undergone
> subsequent modification), so very likely have not been put through
> any sort of direct compliance validation:
> https://github.com/dlitz/pycrypto/blob/master/src/AES.c
> https://github.com/dlitz/pycrypto/blob/master/src/SHA512.c
> et cetera...
> --
> Jeremy Stanley
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20161107/494b4a44/attachment.html>


More information about the OpenStack-dev mailing list