OpenSSL gets NIST certifications

Agencies setting up sensitive virtual private networks now have an open-source alternative.

The National Institute of Standards and Technology has certified OpenSSL, an open-source library of encryption algorithms, as meeting Federal Information Processing Standard 140-2 Level 1 standards, according to the Open Source Software Institute of Hattiesburg, Miss.

'This validation will save us hundreds of thousands of dollars,' said Debora Bonner, operations director for the Defense Department's Defense Medical Logistics Standard Support program, in a statement. 'Multiple commercial and government entities, including [the Defense Department's] Medical Health System, have been counting on this validation to avoid massive software licensing expenditures.'

Federal agencies must use FIPS-compliant products to secure networks carrying unclassified sensitive data. The FIPS certification of OpenSSL opens the possibility of using an SSL-based VPN to carry sensitive data, according to Peter Sargent, who heads the Severna Park, Md.-based PreVal Specialist Inc., one of the companies that supported the validation process.

Traditionally, agencies wishing to set up a VPN for sensitive data would use an approach that involved a secret key implementation of a cryptographic module, which is more expensive to implement and has limited the number of smaller companies that can provide such a product, Sargent said.

Sargent added that few agencies would directly deploy OpenSSL FIPS. Rather, they would purchase OpenSSL-based VPN products from vendors.

To accompany the release, OSSI has published a guidebook, The OpenSSL Security Policy Version 1.0, describing how the OpenSSL cryptographic module works in relation to FIPS 140-2 requirements. The organization also plans to issue a users' guide within two weeks, according to John Weathersby, executive director of OSSI.

Agencies will also find support from a December 2005 update of NIST's Implementation Guidance for FIPS PUB 140-2 and the Cryptographic Module Validation Program. The document addresses how users can deploy a program with FIPS modules across multiple platforms.

The cryptographic module of OpenSSL (SSL stands for Secure Sockets Layer) consists of an open-source implementation of SSL encryption'originally created by Netscape Communications Corp.'as well as a Transport Layer Security module.

SSL and TLS are security protocols that browsers and other software can utilize to encrypt and decrypt Web pages and sensitive data. In order to be FIPS-approved, it is necessary to limit the SSL-based implementation to the TLS mode, Sargent said.

The volunteer-led OpenSSL project oversees the development of OpenSSL. The team has made the module and source code available at the project's Web site under an Apache-style license permitting free noncommercial use.

NIST validated the library cryptographic module contained in Version 0.9.7j of OpenSSL-FIPS as a validation process only for encryption modules, not entire software packages. The OpenSSL-FIPS library cryptographic module uses the Advanced Encryption Standard, the Data Encryption Standard, the Digital Signature Algorithm, FIPS-mode RSA for signatures, as well as the FIPS-qualified approved Secure Hash Algorithm-1, or SHA-1.

In addition to PreVal, OSSI and DMLSS, Hewlett-Packard Co. of Palo Alto, Calif., and the Domus IT Security Laboratory of Ottawa sponsored the FIPS testing for OpenSSL.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above