Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Validation Of OpenSSL Algorithms

Posted by ryuzaki0 on from the thanks-for-the-security dept.

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

19 comments

  1. Poster left out explination of what FIPS is by the+morgawr · · Score: 5, Informative

    A quick googling shows that FIPS 140-2 validation refers to the government certification that encryption modules have adequate security to be used by the the Federal (e.g. US) government. If OpenSSL gets fully validated this will be a huge win for open source software.

    --
    The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
    1. Re:Poster left out explination of what FIPS is by dark_panda · · Score: 4, Informative

      Another open source crypto package (actually, it's public domain code) that has received FIPS 140-2 certification is crypto++, a set of C++ crypto classes and such.

      It should be noted that if (or rather, when) OpenSSL is FIPS 140-2 certified, it doesn't mean that you can use OpenSSL and claim that your code is FIPS 140-2 certified. Technically, you can't even recompile OpenSSL yourself and claim certification on the resulting binaries, you need to go through the certification process again.

      Even still, this is definitely nice to see. Congrats to the OpenSSL team.

      J

    2. Re:Poster left out explination of what FIPS is by Steven+Reddie · · Score: 3, Informative

      Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.

    3. Re:Poster left out explination of what FIPS is by Krunch · · Score: 1

      I don't know, what if the compiler is not certified ?

      --
      No GNU has been Hurd during the making of this comment.
  2. Other hash validations by Anonymous Coward · · Score: 0

    Is MD5 validated? I've heard SHA1 is more secure.

  3. Ummm... by Anonymous Coward · · Score: 0

    What about Blowfish?

    has it been validated yet?

    1. Re:Ummm... by Anonymous Coward · · Score: 0

      I hope not. Wouldn't want that fucker Theo to get any credit.

    2. Re:Ummm... by Anonymous Coward · · Score: 0

      Do the articles above mention anything about Blowfish? No? Well then I guess that means it hasn't been certified!

      Why is it that if someone says somethng like "Half Life 2 has been ported to the X-Box" there are people who instantly ask stupid questions like "Has Pengo been ported to the X-Box" or "Has Half Life 2 been ported to my cell phone"?

  4. Hmm by Anonymous Coward · · Score: 0, Troll

    If a federal agency validates encryption algorithms, does this mean they have a convenient backdoor?

    1. Re:Hmm by Anonymous Coward · · Score: 0, Flamebait

      No fucktard, it doesn't. The algorithms are still bound by the rules of math, and the computers they're using are bound by the rules of physics. Furthermore, this is about specific implementations of algorithms. It's specific to the OpenSSL implementation of AES, etc.

      If you don't believe in the math, you could try VME. It hasn't been validated for anything.

    2. Re:Hmm by alex_tibbles · · Score: 2, Interesting

      Strictly speaking the validation is only of the _implemenation_ of these algorithms. The NSA did invent SHA, but all these algorithms have stood up to academic attack (that we know of).

      --
      Posters recognized by their sig,
    3. Re:Hmm by Spiked_Three · · Score: 2, Interesting

      Encryption is math - all math is solvable - some math solutions take resources most people don't have, this does not technically constitute a back door, but you can bet your sweet bippy if the (US) government allows you to transmit it, they have a way to decrypt it.
      Want to try an experiment - come up with really decent random number generator (not based on FIPS or built in functions) and send a fake encrypted message twice a day to someone in a foreign country. See how long before you are visited :)

      --
      slashdot troll = you make a compelling argument I do not like the implications of.
    4. Re:Hmm by Theatetus · · Score: 1
      Encryption is math - all math is solvable

      Yeah? Find a length of which a square's side and its diagonal are both multiples.

      --
      All's true that is mistrusted
    5. Re:Hmm by Spiked_Three · · Score: 1

      Big hint: stop thinking in 1D. Ask rainman's brother.

      --
      slashdot troll = you make a compelling argument I do not like the implications of.
  5. All math is solvable by ENOENT · · Score: 1

    *cough* Halting problem *cough*

    --
    That's "Mr. Soulless Automaton" to you, Bub.
  6. I don't care how many D's by Theatetus · · Score: 1

    There's still no length that will divide both a square's side and its diagonal. Just as an example.

    --
    All's true that is mistrusted