OpenSSL undergoing review
- By Joab Jackson
- Dec 24, 2003
The National Institute of Standards and Technology is evaluating an open-source library of encryption algorithms for use on sensitive government networks, the Open Source Software Institute announced this month.
The cryptographic module of OpenSSL
, an open-source version of Secure Sockets Layer encryption, is undergoing Federal Information Processing Standard 140-2 Level 1 tests.
The library in version 0.9.7b of OpenSSL is being validated ' FIPS serves as validation only for encryption modules, not entire software packages.
U.S. federal agencies must use FIPS-compliant products to secure networks carrying unclassified but sensitive data.
The OpenSSL library uses the Advanced Encryption Standard, the Data Encryption Standard, the Digital Signature Algorithm, FIPS-mode RSA and the FIPS-qualified Secure Hash Algorithm-1, or SH-1.
Software testing is being sponsored by the Defense Department's Defense Medical Logistics Standard Support Program, Hewlett-Packard Co., OSSI, PreVal Specialists Inc., OpenSSL developers and the Domus IT Security Laboratory of Ottawa, which does the validation testing.
Software products, both commercial and customized for specific agency use, can use the runtime version of the library to provide FIPS-level security, according to an OSSI-sponsored Web page
. Open-source software already using this library include the Apache Web server, OpenSSH secure remote log-in, Stunnel virtual private network and OpenSSL itself.
Created by Netscape Communications Corp., Secure Sockets Layer encryption is one of the primary means for conducting secure transactions over the Internet. SSL is a software container that holds algorithms that browsers and other software can call upon to encrypt and decrypt Web pages and sensitive data.
OSSI is a nonprofit organization that promotes the use of open-source software within federal, state and local agencies. Sponsors include Hewlett-Packard Co. and IBM Corp.
(Posted Dec. 24, 2003 and corrected Jan. 6, 2004)
Joab Jackson is the senior technology editor for Government Computer News.