NIST recertifies open source encryption module

The National Institute of Standards and Technology has recertified the OpenSSL open source encryption module.

OpenSSL once again is compliant with Federal Information Processing Standard 140-2 Level 1 standard, according to the Open Source Software Institute (OSSI) of Hattiesburg, Miss.

Last July, NIST revoked its certification for the OpenSSL open-source encryption tool when questions were raised about the validated module's interaction with outside software. Earlier this month NIST posted a new certificate number for OpenSSL on the Cryptographic Module Validation Program Web site.

Government agencies use FIPS 140-2 cryptographic products to secure networks carrying unclassified sensitive data.

'Because of the National Security Telecommunications and Information Systems Security Policy 11, anything that is information assurance-enabled has to get a validation to be used in classified and unclassified systems,' OSSI executive director John Weathersby said.

The OpenSSL FIPS Object Module , an open-source library of encryption algorithms, was paid for by the Defense Department and corporate sponsors.

Available under the Apache License, the software can now be downloaded by government and other entities for free at the project's Web site. The OpenSSL security policy and user guide are also available for download on the site.

In addition to potentially saving agencies money, using OpenSSL may simplify security administration as well because the software can be used across multiple applications, reducing the total number of FIPS-compliant modules an agency must manage, Weathersby said.

Developing, certifying and validating OpenSSL was 'not a technical challenge, but a political challenge,' Weathersby said. 'Proprietary products cost a lot to get through processes, so there was pushback in developing a free version. Other vendors contested.'

In addition, the validation process was lengthy and costly for OSSI because it was 'the first time that anyone tried to get a program like OpenSSL validated to a core level out in the open,' Weathersby added.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected