[SERVER-20919] Use OpenSSL to generate IVs Created: 14/Oct/15 Updated: 05/Nov/15 Resolved: 02/Nov/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.0.7 |
| Fix Version/s: | 3.2.0-rc2 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Sprint: | Security B 10/30/15, Security C 11/20/15 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
AES-CBC encryption requires IVs which are random and unpredictable. Using OpenSSL to generate these values ensures both that these properties will hold, and that a FIPS compliant PRNG is used when operating in FIPS mode. This change will only effect the ESE components, and more wide scale restructuring of random number generation is discussed in SERVER-21253. |
| Comments |
| Comment by Githook User [ 05/Nov/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Githook User [ 29/Oct/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Andrew Morrow (Inactive) [ 23/Oct/15 ] |
|
spencer.jackson - When workign on this, can you try to improve some of the weaknesses related to SecureRandom construction and logging identified in |