Getting government approval of a more secure OpenSSL
- By Troy K. Schneider
- Jul 20, 2016
When the Heartbleed bug was discovered in 2014, the federal government largely managed to avoid significant fallout from the OpenSSL vulnerabilities. But as the foundation responsible for that vital open-source software library has scrambled to update and patch vulnerabilities, agencies are now faced with a different problem: the newer, more secure OpenSSL 1.1 lacks a critical federal validation for cryptographic software.
Using it in federal systems, in fact, would be against the law.
At issue is FIPS 140-2 -- a standard set by the National Institute of Standards and Technology and its Canadian counterpart. All federal cryptographic-based security systems that involve sensitive information must be FIPS 140-2 compliant. And as the OpenSSL project's Steve Marquess explained in a September 2015 blog post, OpenSSL 1.1 was restructured so dramatically that new validation was needed.
That validation effort is a long and costly project, and Marquess warned at the time that without government sponsorship, OpenSSL 1.1 could be without a valid FIPS module for the foreseeable future.
On July 20, however, Marquess and SafeLogic founding CEO Ray Potter announced that SafeLogic would sponsor the FIPS validation. "With changes over the last few years," Potter wrote in blog post explaining the decision, "the viability of legacy OpenSSL FIPS module validations have been repeatedly threatened, and the crypto community simply cannot accept the possibility of being without a certificate."
SafeLogic, a four-year-old Palo Alto, Calif., company that both offers proprietary encryption solutions and does FIPS validation for other products, will sponsor the engineering work on the FIPS module and then handle the validation effort. Acumen Security will be the testing laboratory, and the engineering itself will be done by the OpenSSL project.
Potter told GCN the validation effort should avert an uncomfortable compliance bind that was looming.
“It’s crucial to note that [Transport Layer Security Protocol Version 1.3] has made significant privacy and security improvements over TLS 1.2 and will soon be mandatory for DOD and other federal agencies," he said. "Of course, the catch is that TLS 1.3 is not compatible with previous versions of OpenSSL, so the migration to OpenSSL 1.1 will also be mandatory by proxy. This would have been the perfect storm in which the government would have been unable to comply with their own requirements if this project hadn’t commenced."
None of the parties would offer a target date for completing the validation and making OpenSSL 1.1 an option for government users. Marquess, a former president of the OpenSSL Software Foundation who now heads OpenSSL Validation Services, had previously said the process could take two years or more, but SafeLogic officials told GCN they were confident validation would come "long before that."
Note: This article was updated on July 22 to correct Steve Marquess' professional affiliations.
Troy K. Schneider is the Editor-in-Chief of both FCW and GCN, two of the oldest and most influential publications in public-sector IT. Both publications (originally known as Federal Computer Week and Government Computer News, respectively) are owned by GovExec. Mr. Schneider also serves GovExec's General Manager for Government Technology Brands.
Mr. Schneider previously served as New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company, where he oversaw the online operations of The Atlantic Monthly, National Journal, The Hotline and The Almanac of American Politics, among other publications. The founding editor of NationalJournal.com, Mr. Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, Governing, and many of the other titles listed above.
Mr. Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.