Getting government approval of a more secure OpenSSL
When the Heartbleed bug was discovered in 2014, the federal government largely managed to avoid significant fallout from the OpenSSL vulnerabilities. But as the foundation responsible for that vital open-source software library has scrambled to update and patch vulnerabilities, agencies are now faced with a different problem: the newer, more secure OpenSSL 1.1 lacks a critical federal validation for cryptographic software.
Using it in federal systems, in fact, would be against the law.
At issue is FIPS 140-2 -- a standard set by the National Institute of Standards and Technology and its Canadian counterpart. All federal cryptographic-based security systems that involve sensitive information must be FIPS 140-2 compliant. And as the OpenSSL project's Steve Marquess explained in a September 2015 blog post, OpenSSL 1.1 was restructured so dramatically that new validation was needed.
That validation effort is a long and costly project, and Marquess warned at the time that without government sponsorship, OpenSSL 1.1 could be without a valid FIPS module for the foreseeable future.
On July 20, however, Marquess and SafeLogic founding CEO Ray Potter announced that SafeLogic would sponsor the FIPS validation. "With changes over the last few years," Potter wrote in blog post explaining the decision, "the viability of legacy OpenSSL FIPS module validations have been repeatedly threatened, and the crypto community simply cannot accept the possibility of being without a certificate."
SafeLogic, a four-year-old Palo Alto, Calif., company that both offers proprietary encryption solutions and does FIPS validation for other products, will sponsor the engineering work on the FIPS module and then handle the validation effort. Acumen Security will be the testing laboratory, and the engineering itself will be done by the OpenSSL project.
Potter told GCN the validation effort should avert an uncomfortable compliance bind that was looming.
“It’s crucial to note that [Transport Layer Security Protocol Version 1.3] has made significant privacy and security improvements over TLS 1.2 and will soon be mandatory for DOD and other federal agencies," he said. "Of course, the catch is that TLS 1.3 is not compatible with previous versions of OpenSSL, so the migration to OpenSSL 1.1 will also be mandatory by proxy. This would have been the perfect storm in which the government would have been unable to comply with their own requirements if this project hadn’t commenced."
None of the parties would offer a target date for completing the validation and making OpenSSL 1.1 an option for government users. Marquess, a former president of the OpenSSL Software Foundation who now heads OpenSSL Validation Services, had previously said the process could take two years or more, but SafeLogic officials told GCN they were confident validation would come "long before that."
Note: This article was updated on July 22 to correct Steve Marquess' professional affiliations.
Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.