 |
 |
 |
| |
|
|
FIPS Validates OpenSSL
 |
|
|
|
| |
|
OpenSSL provides an open source toolkit that opens the door to wider use of Linux and Apache in federal government applications.
|
|
|
|
|
|
Tuesday, January 24, 2006:
After more than two years, the US and Canadian governments have finally given approval to OpenSSL FIPS 140-2 under the Cryptographic Module Validation Program (CMVP). The OpenSSL’s open source toolkit can implement Secure Sockets Layer (SSL) and Transport Layer Security (TLS) for two specific test platforms - HP-UX 11i and SUSE Linux 9.0.
|
|
The effort to certify OpenSSL under Federal Information Processing Standard (FIPS) security criteria will enable the Canadian government agency and the US to use the free, open source security software.
OpenSSL is commonly used to provide secure, encrypted communications for open-source applications like the Apache Web server. By gaining FIPS 140-2 security approval, OpenSSL can now be used by government agencies that require a security protocol that can protect sensitive, but unclassified information.
The CMVP is run by the US National Institute for Standards and Technology (NIST) and Canada's Communications Security Establishment (CSE). It provides testing of cryptographic modules in accredited labs, which makes sure that security software does what it is designed to do every time it is used.
CMVP director, Randy Easter, said, “Validation of the open source software is a done deal." OpenSSL is in the final stage of the CMVP pre-validation process. This would be the first open source cryptographic module to be validated, Easter added.
The module was tested by the FIPS 140-2 CMT (cryptographic module testing) laboratory for two specific test platforms - HP-UX 11i and SUSE Linux 9.0. The OpenSSL FIPS Cryptographic Module, when generated from the identical unmodified source code, is ‘Vendor Affirmed’ to be FIPS 140-2 compliant when running on other supported computer systems, provided the conditions described in the security policy are met.
In reviewing the modules, the DOMUS IT Security Lab tested OpenSSL implementation in configurations of SUSE Linux 9.0 and HP-UX 11i single-user mode, though the validation applies to all uses of the toolkit so long as the CMVP implementation guidelines have been followed.
"What this does is put OpenSSL on a level playing field with all other cryptographic modules and knocks down enormous boundaries," said John Weathersby, executive director of the Open Source Software Institute (OSSI), which helped the project in its validation effort.
The effort to get OpenSSL validated under the FIPS guidelines has been in progress since late 2003, and had been slowed by a lack of experience in validating open source software.
According to Chris Brych, FIPS-140 program manager at DOMUS, the OpenSSL validation posed new challenges in checking it for conformance to requirements because the testing process was not as simple as running the software. Since the source code is freely available, the validation was a proof-of-concept in the event that users decide to compile the toolkit themselves rather than opting for a precompiled version.
Having defined a process for the review of a module that is distributed as source code, Brych said the methodology of review for open source software developed during the OpenSSL review process answered questions the CMVP had about delivery of the module and its performance in integrity tests.
"This validation is critically important for two reasons: 1) technically it means that OpenSSL has gone through and passed the same federal security validation process as other validated proprietary solutions; and 2) by receiving the FIPS 140-2 validation, products that include the validated OpenSSL module can be purchased and used within the government and Department of Defense systems," Weathersby said in a statement.
This historic validation is based on source code and allows implementation on a wide range of hardware and software platforms.
According to the OpenSSL Project team members, the FIPS validated module will be included in the next OpenSSL release, version 0.9.7. The OpenSSL toolkit is licenced under an Apache-style licence.
|
|
| |
|
|
|
|
| |
|
|
|
| |
| |
| |
|
|
 |
 |
 |
 |
|
|
|
|
|
|
|
|
FREE NEWSLETTER
Receive the latest reviews, how-to's, news & more.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Now, Digging It Is Easier |
| The New Digg has everything people liked about the old Digg along with everything that users wanted from the company.... |
|
|
| |
| |
 |
|
|
|
|
|
|
|
|
|
|
|
|
| |
 |
|
Soon, Global Television Sets |
| Saankhya Labs is developing a universal demodulator IC for digital and analogue TV reception, which decreases not only the cost of a regional TV set b... |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|