NIST recertifies open source encryption module
- By Jana Cranmer
- Feb 16, 2007
The National Institute of Standards and Technology has recertified the OpenSSL open source encryption module.
OpenSSL once again is compliant with Federal Information Processing Standard 140-2 Level 1 standard, according to the Open Source Software Institute (OSSI) of Hattiesburg, Miss.
Last July, NIST revoked
its certification for the OpenSSL open-source encryption tool when questions were raised about the validated module's interaction with outside software. Earlier this month NIST posted a new certificate number for OpenSSL on the Cryptographic Module Validation Program Web site
Government agencies use FIPS 140-2 cryptographic products to secure networks carrying unclassified sensitive data.
'Because of the National Security Telecommunications and Information Systems Security Policy 11, anything that is information assurance-enabled has to get a validation to be used in classified and unclassified systems,' OSSI executive director John Weathersby said.
The OpenSSL FIPS Object Module
, an open-source library of encryption algorithms, was paid for by the Defense Department and corporate sponsors.
Available under the Apache License, the software
can now be downloaded by government and other entities for free at the project's Web site. The OpenSSL security policy and user guide are also available for download on the site.
In addition to potentially saving agencies money, using OpenSSL may simplify security administration as well because the software can be used across multiple applications, reducing the total number of FIPS-compliant modules an agency must manage, Weathersby said.
Developing, certifying and validating OpenSSL was 'not a technical challenge, but a political challenge,' Weathersby said. 'Proprietary products cost a lot to get through processes, so there was pushback in developing a free version. Other vendors contested.'
In addition, the validation process was lengthy and costly for OSSI because it was 'the first time that anyone tried to get a program like OpenSSL validated to a core level out in the open,' Weathersby added.