NIST recertifies open source encryption module

The National Institute of Standards and Technology has recertified the OpenSSL open source encryption module.

OpenSSL once again is compliant with Federal Information Processing Standard 140-2 Level 1 standard, according to the Open Source Software Institute (OSSI) of Hattiesburg, Miss.

Last July, NIST revoked its certification for the OpenSSL open-source encryption tool when questions were raised about the validated module's interaction with outside software. Earlier this month NIST posted a new certificate number for OpenSSL on the Cryptographic Module Validation Program Web site.

Government agencies use FIPS 140-2 cryptographic products to secure networks carrying unclassified sensitive data.

'Because of the National Security Telecommunications and Information Systems Security Policy 11, anything that is information assurance-enabled has to get a validation to be used in classified and unclassified systems,' OSSI executive director John Weathersby said.

The OpenSSL FIPS Object Module , an open-source library of encryption algorithms, was paid for by the Defense Department and corporate sponsors.

Available under the Apache License, the software can now be downloaded by government and other entities for free at the project's Web site. The OpenSSL security policy and user guide are also available for download on the site.

In addition to potentially saving agencies money, using OpenSSL may simplify security administration as well because the software can be used across multiple applications, reducing the total number of FIPS-compliant modules an agency must manage, Weathersby said.

Developing, certifying and validating OpenSSL was 'not a technical challenge, but a political challenge,' Weathersby said. 'Proprietary products cost a lot to get through processes, so there was pushback in developing a free version. Other vendors contested.'

In addition, the validation process was lengthy and costly for OSSI because it was 'the first time that anyone tried to get a program like OpenSSL validated to a core level out in the open,' Weathersby added.

inside gcn

  • cloud video processing

    Sprocket kicks video processing into high gear

Reader Comments

Fri, Oct 17, 2014 Daira Hopwood United Kingdom

FIPS validation of cryptographic libraries is harmful, because: * users who care about the validation end up using outdated versions, * even without caring about the validation, the FIPS process interferes with good software engineering practice: (This is not even a controversial opinion any more, it's a widespread consensus among working cryptographers.)

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group