Open Source stacks shake up government security certifications
Open-source stacks are poised to shake up the world of government security certifications, such as the National Institute of Standards and Technology's Federal Information Processing Standard 140-2 and the National Information Assurance Partnership's Common Criteria ratings.
Agencies that must buy software to meet these standards are finding that an open-source, modular approach can provide new choices on the marketplace.
That's what the Defense Department's Defense Medical Logistics Standard Support program found three years ago. The agency was looking at spending $200,000 to $500,000 on virtual private network software for its 600 HP-UX servers, and the software had to be FIPS-140-2-compliant. The trouble was, the agency planned to move off HP-UX in a few years, rendering the investment null, said Steve Marquess, a DMLSS consultant from Veridical Systems Inc. of Adamstown, Md., who spoke at the recent LinuxWorld conference.
Instead of buying software that would be useless in a short time, the agency took a novel approach. It would instead invest in OpenSSL, an open-source, FIPS-140-2-certified encryption module. That way, DMLSS could simply insert OpenSSL into whatever software product best met its needs, freeing it to chose from a wider range of vendors that didn't have FIPS certifications.
'This validation will save us hundreds of thousands of dollars,' said Debora Bonner, operations director for DMLS.
The key to this approach was to validate the source code rather than the executable program itself. That way, when DMLS changed to a new platform, the code could be easily plugged into the new software. FIPS only certifies the cryptographic module of a program, not the entire program.
The approach proved unique, according to Luc Cousineau, director of the IBM-owned DOMUS IT Security Laboratory that tested OpenSSL. He said FIPS certification had never been done for a program distributed in source form before.
As a result, the European project leaders behind OpenSSL had to come up with a way to assure their code could guarantee its own validity. (They devised an ingenious method of inserting hash values into the code that the compiler could check.)
In the end, the certification, awarded earlier this year, cost about $85,000. Besides DMLS, Hewlett-Packard Co., the Open Source Software Institute of Hattiesburg, Miss., and PreVal Specialist Inc. of Severna Park, Md., supported the project. Because the source code was validated, it could be compiled for any platform, be it Linux, Microsoft Windows or some obscure operating system.
'The hope is that this FIPs mode will be incorporated into open-source projects that use cryptography,' Marquess said.