Open Source encryption module loses FIPS certification
- By William Jackson
- Jul 17, 2006
The National Institute of Standards and Technology has revoked certification of the open-source encryption tool OpenSSL under the Federal Information Processing Standard.
OpenSSL in January became one of the first open-source software products
to be validated under NIST's Computer Module Validation Program for FIPS-140-2. The certificate apparently was suspended in June when questions were raised about the validated module's interaction with outside software elements.
The revocation caught the Open Source Software Institute, which shepherded the module through the validation process, by surprise.
'I am discouraged with what appears to be another change after certification has been awarded,' said executive director John Weathersby. 'It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us.'
On July 14 the CMVP Web site
listed the OpenSSL certificate 642 as 'revoked.' On Monday it was listed as 'not available.' A statement from CMVP supervisor Randy Easter indicated there is no distinction between the two terms.
'If a validation certificate is marked as revoked or not available, the module validation is no longer valid,' the statement said.
FIPS-140-2 certification is required for cryptographic products used by agencies for unclassified but sensitive information. OpenSSL is an open-source version of Secure Sockets Layer encryption that can be used by browsers and other programs to securely exchange data.
The option of using an open-source tool could save agencies money in software licensing fees.
'Our biggest advocate at this point is the Defense Information Systems Agency,' Weathersby said. 'They are using it.'
An official with the Defense Department's Defense Medical Logistics Standard Support program told GCN when certification was granted that OpenSSL could save the program hundreds of thousands of dollars.
Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.
'Now the opposing forces have the luxury of going in and trying to pick us apart,' he said. 'That's fine. That's fair. This is about dollars and cents. This is not about technology.'
Those challenges apparently resulted in the original suspension in June. Weathersby said problems had been corrected in the module and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation. He had been expecting CMVP to evaluate the lab results and reinstate the certificate when the notice of revocation was published on the Web site.
NIST is not saying why the certificate was removed.
'The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary,' Easter said in his statement.
Weathersby said OSSI would challenge the revocation and has lined up funding to pursue recertification.
'We are by no means giving up on this,' he said. 'We are frustrated by the process, but we are not quitting.'
William Jackson is freelance writer and the author of the CyberEye blog.