| OpenSSL gains FIPS-140 approval |
Jan. 23, 2006
After more than two years, the US and Canadian governments finally gave OpenSSL FIPS 140-2 approval under the Cryptographic Module Validation Program (CMVP). The approval opens the door to wider use of Linux and Apache in federal government applications.
The effort to certify OpenSSL under FIPS security criteria was announced in December, of 2003, led by the Defense Medical Logistics Standard Support Program (a DoD medical logistics program), HP, DOMUS IT Security Laboratory, PreVal Specialists, Inc., and representatives from the OpenSSL Project.
What's OpenSSL FIPS?
The OpenSSL FIPS library is an open-source software cryptographic toolkit that can be used on a wide variety of hardware and operating system platforms. The Module provides an API for invocation of FIPS (Federal Information Processing Standards) approved cryptographic functions from calling applications. OpenSSL provides an open source toolkit for implementing Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The module was tested by the FIPS 140-2 CMT (Cryptographic Module Testing) laboratory for two specific test platforms, HP-UX 11i and SUSE Linux 9.0. The OpenSSL FIPS Cryptographic Module, when generated from the identical unmodified source code, is "Vendor Affirmed" to be FIPS 140-2 compliant when running on other supported computer systems provided the conditions described in the Security Policy are met.
OpenSSL is commonly used to provide secure, encrypted communications for open-source applications like the Apache Web server. By gaining FIPS 140-2 security approval, OpenSSL can now be used by government agencies that require a security protocol that can protect sensitive, but unclassified, information.
Long time coming
A recent NewsForge article noted that the approval had long been delayed. Writer Stephen Feller wrote that "according to CMVP director Randy Easter, a typical testing cycle runs from several weeks to a few months, and the goal for NIST (National Institute of Standards and Technology) is to process reports generated by the labs after testing within six to nine weeks. Once processed, NIST either sends additional questions back to the testing lab or moves forward with granting validation. The process typically takes less than a year."
"I can't believe it. It's been a long time coming, we finally got it!" said an ecstatic OSSI (Open Source Software Institute) executive director John Weathersby. OSSI, which supports the development and implementation of open source software within US government and academic entities, had helped shepherd OpenSSL through the FIPS process.
"This validation is critically important for two reasons: 1) technically it means that OpenSSL has gone through and passed the same federal security validation process as other validated proprietary solutions; and 2) by receiving the FIPS 140-2 validation, products that include the validated OpenSSL module can be purchased and used within the government and Department of Defense systems," Weathersby said in a statement.
Debora Bonner, Director of Operations at the DMLSS (Defense Medical Logistics Standard Support) Program Management Office in Falls Church, Va, and an OpenSSL supporter, said in a statement, "This validation is historic in that it is based on source code and allows implementation on a wide range of hardware and software platforms."
"The DMLSS program is heavily dependent on OpenSSL based cryptography, so this validation will save us hundreds of thousands of dollars," Bonner added. "Multiple commercial and government entities, including Medical Health Systems (MHS), have been counting on this validation to avoid massive software licensing expenditures. The three year validation process was an ordeal, but our persistence finally paid off."
Availability
According to the OpenSSL Project team members, the FIPS validated module will be included in the next OpenSSL release, version 0.9.7.
The OpenSSL toolkit is licensed under an Apache-style license.
Commercially supported FIPS-certified security components for embedded Linux devices may also be available from Certicom, Team F1, and others.
Related Stories:
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed