Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Validation Of OpenSSL Algorithms

Posted by ryuzaki0 on from the thanks-for-the-security dept.

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

3 of 19 comments (clear)

  1. Poster left out explination of what FIPS is by the+morgawr · · Score: 5, Informative

    A quick googling shows that FIPS 140-2 validation refers to the government certification that encryption modules have adequate security to be used by the the Federal (e.g. US) government. If OpenSSL gets fully validated this will be a huge win for open source software.

    --
    The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
    1. Re:Poster left out explination of what FIPS is by dark_panda · · Score: 4, Informative

      Another open source crypto package (actually, it's public domain code) that has received FIPS 140-2 certification is crypto++, a set of C++ crypto classes and such.

      It should be noted that if (or rather, when) OpenSSL is FIPS 140-2 certified, it doesn't mean that you can use OpenSSL and claim that your code is FIPS 140-2 certified. Technically, you can't even recompile OpenSSL yourself and claim certification on the resulting binaries, you need to go through the certification process again.

      Even still, this is definitely nice to see. Congrats to the OpenSSL team.

      J

    2. Re:Poster left out explination of what FIPS is by Steven+Reddie · · Score: 3, Informative

      Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.