NIST Validation Of OpenSSL Algorithms

← Back to Stories (view on slashdot.org)

NIST Validation Of OpenSSL Algorithms

Posted by ryuzaki0 on Wednesday May 12, 2004 @05:07AM from the thanks-for-the-security dept.

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

5 of 19 comments (clear)

Min score:

Reason:

Sort:

Poster left out explination of what FIPS is by the+morgawr · 2004-05-12 05:13 · Score: 5, Informative

A quick googling shows that FIPS 140-2 validation refers to the government certification that encryption modules have adequate security to be used by the the Federal (e.g. US) government. If OpenSSL gets fully validated this will be a huge win for open source software.

--
The policy of the United States is worse than bad---it is insane. -- Ludwig von Mises, Economic Policy(1959)
1. Re:Poster left out explination of what FIPS is by dark_panda · 2004-05-12 06:26 · Score: 4, Informative
  
  Another open source crypto package (actually, it's public domain code) that has received FIPS 140-2 certification is crypto++, a set of C++ crypto classes and such.
  
  It should be noted that if (or rather, when) OpenSSL is FIPS 140-2 certified, it doesn't mean that you can use OpenSSL and claim that your code is FIPS 140-2 certified. Technically, you can't even recompile OpenSSL yourself and claim certification on the resulting binaries, you need to go through the certification process again.
  
  Even still, this is definitely nice to see. Congrats to the OpenSSL team.
  
  J
2. Re:Poster left out explination of what FIPS is by Steven+Reddie · 2004-05-12 13:38 · Score: 3, Informative
  
  Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.
Re:Hmm by alex_tibbles · 2004-05-13 03:14 · Score: 2, Interesting

Strictly speaking the validation is only of the _implemenation_ of these algorithms. The NSA did invent SHA, but all these algorithms have stood up to academic attack (that we know of).

--
Posters recognized by their sig,
Re:Hmm by Spiked_Three · 2004-05-13 10:35 · Score: 2, Interesting

Encryption is math - all math is solvable - some math solutions take resources most people don't have, this does not technically constitute a back door, but you can bet your sweet bippy if the (US) government allows you to transmit it, they have a way to decrypt it.
Want to try an experiment - come up with really decent random number generator (not based on FIPS or built in functions) and send a fake encrypted message twice a day to someone in a foreign country. See how long before you are visited :)

--
slashdot troll = you make a compelling argument I do not like the implications of.