DoD team nears Security Validation of OpenSSL
tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
p gninrom yadnusF
____ _ ___ _ _ ___ ____ __ .::::. _ . .-....-. . l Slashdot trolls .oo. . .\l Trolling heaven .'.' (__. ./||\. .__) since 1911 .'.'.' l-UUUUUUU-l ACCEPT NO IMITATIONZ... .'.'. __ _l o. o. . l_____, WE ARE THE BEST!! ,.---m-.`._________.`.- a '-. .".'ol. . o . l. .x. . . \, FUCKING LINUX USERS .". . . . l.. . ..l . .".z. . l FUCKING SCUM, I .s. .b. . l o . o . .'. . . .l SAY, UNABLE TO .'.x.l. . .l. . . r". ..l MOVE FROM YOUR PC .c. .". . l. . .l .". . . . l \, DUE TO YOUR STOMACH .o. . .". l o l .x.'. . .'.l. .\, SIZE, WHEN YOU .c.a. . .l.".l. . .".b. .l. . . \, MOVE BILE SPEWS ..l .f. . .l FROM YOUR MOUTH .s. . .l. .l. . .z. . l . .u. . l .a. l=-=l . .". .r.l. . .c. .l NOT FIT TO EVEN .l'o'l. . . . . lc. . .k. l LIVE ON THIS PLANET, /"-.,__,.-"\'o'/"-.,__,.-"\"-.,_,.-"\ ALL YOU BRING IS
_ ______ _ ___ _ _.__
_ ___ __ ___ ____ O\\/W\/\/W\//O
_ ___ __ ___ _____ \\/A\/\/A\//
_ ___ __ ___ _____ _\_o_OO_o_/_
_ ___ __ ___ ____ / ' ' ' ' ' '\
_ ___ __ ___ ___ l '=.= '' =.=' l Trollkore - the premier
_ ___ __ ___ ___ l .
_ ___ __ ___ ___ l )(o_/ll\_o)( l
_ ___ __ ___ ___ l/. .
_ ____ (o._
_ _ _____) \_______\_\UUUUUUU/_/_________________,
_(_)o8o8{}(___\\_________o\___________\ \_________>
_ ___ __ )_/
_ ____ (o
_ ___ ____
_ ___ __ / . .
_ ___ __ l
_ ___ __ l.
_ ___ __ l.. . .
_ ___ ___ l
_ ___ ___ l.
_ ___ ____ l.
_ ___ ____ l..".k. . . l . l . . . .
_ ___ _____ l .
_ ___ _____ l. . .
_ ___ _____ l . . . .
_ ___ _____
_ ___ ____ l' ' ' ' " ' \U/' ' ' ' ' ' l' ' ' ' 'l FLIES AND FAMINE
_ ___ ____ l __ __ __ __ l' ' ' ' " ' 'l ' ' ' ' l
_ ___ _____ \_P|_I|_M|_P/ \__|__|__|__/ \_|__|__/ STUPIDER THAN APES!
Like a pack of wolves, you surround the carcass
of Linux, hoping to digest any living flesh from
it in a desperate attempt to appetise your
swollen parasite infested stomachs. You make me sick...
# Important Stuff: Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) # Important Stuff: Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
this just goes to show that the us govt knows that opensrc is more secure then ms.
Charles Wyble All around tinkerer
- Government pays directly for certifying open source products
- Private companies "use" the open source product in their own commercial (very expensive) offerings, pay for the certification, then sell the (largely open source) products at a substantial markup to the government
You save a few pennies in the first option by no longer having the government pay for certification, but you lose many times over in the markup"dope will get you through times of no money better than money will get you through times of no dope"
Since they are having to revalidate the same code others have already validated (albeit with some modifications) but its still a good thing to see DoD at least attempting to use my tax dollars smarter, by spending the time to formally validate open source software instead of buying proprietary software for hundreds of thousands of dollars, that contains basically the same code.
Any time the Govt. decides to use Free software instead of MS stuff, I also sleep better at night, for several reasons.
Tequila: It's not just for breakfast anymore!
BTW, this shows some of the GPL-camp fears: Too-free (as in BSD) code packaged into propietary apps... some people will not realize they can get the exact same code for free.
(the debate on "in licensing from private outfit you are paying for support of that free code" is left to the reader ;)
That summary is potentially misleading because it leaves out the reason why he was annoyed. Here is the whole paragraph:
Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."
So he was annoyed at vendors who he thought were ripping the governent off, not at the wastefullness of the government auditing OpenSSL as I read the summary to say.
In a lot of cases, when software is been written to do X thing, the DoD will goto lengths to write it from top to bottom.
OpenSSL has proven itself worthy on the battle field of the internet.
If by using OpenSSL, the DoD can design better systems faster that allow our troops to be more efficient (i.e. deadlier) and it costs us less money and the DoD returns any bugs it finds to the community, I don't see how this is a bad thing.
Yes Francis, the world has gone crazy.
With OpenSSL being validated by the government as secure, it makes me wonder when SELinux will have it's own distro (something a bit thinner than fedore). this kind of stuff is great, i love it.
He is working on saving the US government money. Wish there were more guys like him in the US gov. For non-US readers : The US government has issues of spending bloat. They spend way too much on stuff. Us taxpayers don't like that. X_X
/b
|f(x)dx = F(b) - F(a)
The day of defeat team?
They knew that OpenSSL had already been validated by several commercial vendors. So validating OpenSSL by itself should be a slam-dunk after they'd already done it N times. But suggesting that they just use OpenSSL for free rather than paying a commercial supplier for it is an "out of the box move" that "took guts"? As Dick Cheney might ask, WTF?
.mil sites.
...
Furthermore, it would be a big surprise if other parts of the military didn't have copies of OpenSSL lying about on a few thousand machines already, so they wouldn't even have to go through the motion of downloading and verifying the public version. I'd bet that it's already mirrored on any number of
How can this idiocy be explained, other than by the theory that they shouldn't get something for free if they can spend money for the same thing and support a campaign contributor?
It does sorta go along with the old stories of the Navy using Windows NT to control their hardware
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
they don't use newclear power. they are part of the opposition in the creators' planet/population rescue mandate. what good are they? & who cares what they approve of?
all is not lost.
consult with/trust in yOUR creators.... intervening on unprecedented evile since/until forever. see you there?
stay tuned for the va lairIE/robbIE answer yOUR questions interview. curreNTly being rescheduled for after the hooplah dies DOWn.
Remember, he spent 18 months getting just the OpenSSL libraries accredidated. If a company had two people assigned to the task of accrediting both product and the incorporated OpenSSL for a year; and if we assume 50K/year per person--that's a hundred-thousand before the company makes any profit. (And we're skipping the overhead of the manager, their office space, etc.)
The fault here is in the government not having a pre-approved solution for the vendors to use.
there couldnt be a cost....its open source, the devs work for free, the testers dont get paid, so explain where the cost is....
Little Miss Muffet sat on her tuffet with a dildo as long as her arm.
Along came a nigger who's cock was much bigger and did Miss Muffet some harm.
After spending much effort scaring developers in the US out of working on open source crypto with its munitions export laws the DoD is now "importing" and spending money certifying munitions grade encryption from abroad. Same for the NSA with OpenBSD.
What happens when OpenSSL makes a code fix? Does it all have to be re-validated? Do they supply a signed MD5 hash that says: "These sources are authorized for compiling a FIPS-140 compliant binary"?
There was a comment here on slashdot in the past few months (can't find it now) about if you want to create trustworthy code, you first need to trust every layer below it, and every tool used to create it. Did this team use a validated build of gcc to create their OpenSSL binaries?
Chip H.
I really hate to get pedantic, but OpenSSL is Free Software. According to the Free Software Foundation, the OpenSSL license is a Free Software license incompatible with the GPL.
What you should have said is that the Free Software Foundation recommends developers use the GNU TLS library, but using OpenSSL in non-GPL projects is perfectly okay. Remember, GPL licensed software is only a subset of Free Software.
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
'What happens when OpenSSL makes a code fix? Does it all have to be re-validated? Do they supply a signed MD5 hash that says: "These sources are authorized for compiling a FIPS-140 compliant binary"?' and this is different from a proprietary product how?
My other OS is also FreeBSD
Probably same thing as when a commercial vendor has to amend their library; you either stick with what you had (if the change is non-critical), revalidate or ignore the issue.
"Usually with FIPS 140 validation the vendor supplies binary code that is validated as if it were distributed to customers. FIPS 140 requires a runtime integrity check of the binary code. But open-source software is distributed in source code form. The trick here, then, was to produce a mechanism by which cryptographic fingerprints could be chained from the original source code all the way to the final runtime executable."
This sounds a very useful technique for any software that's verified in source form but deployed in binary form : voting machines and Formula 1 ECUs come to mind. Anybody know if there are more details of how they solved it ?
The article made it sound like they selected a few critical files(but not all or even most) -- "...sequester the critical parts of the source code so they would not be modified in the course of routine maintenance." .
It also sounds like the used MD5 or SHA1 to validate what exactly must not change -- "...produce a mechanism by which cryptographic fingerprints could be chained from the original source code all the way to the final runtime executable.".
And nope they did not test gcc or validate that the code had unspecified or undefined behavior spots in it that could even legitimately cause a compiler to generate binaries that produce different results.
Most of this is just "red-tape".
But technically the interesting point of the certification id that they managed to get the source code certified. There is at least one other open souce product Crypto++ that is also FIPS 140.2 validated (Certificate #343). But they only managed to get a compiled package validated, which does help me to trust the code but not really to "sell" the library to PHBs. The article doesn't really go into how they did get NIST to validate the source code. Anybody know more details?
k. Use of "shareware" or "freeware" is prohibited unless specifically approved through IA personnel and by the DAA for a specific operational mission requirement and length of time when no approved IA product exists. Notify NETCOM RCIOs and the supporting RCERT/TNOSC of local software use approval.
Thus, unless the local designating approving authority (DAA) is willing to accept the risk of the software, and it is a mission requirement when no approved software exists (which SSL does), the DA won't be using it anytime soon. The biggest problem will be that the DAA's will not want to accept local risk when another product that will do the job, and is approved will work.
This regulation, while good intentioned, is really difficult to live with. Try finding a good non-freeware spyware remover. It's not easy.
OF AMERICA) is the Shouts To the you join 7oday! we all know, needs OS. Now BSDI It transforms into flaws in the BSD systems. The Gay Want them there. being GAY NIGGERS. or mislead the BE NIGGER! BE GAY! bought the farm.... Talk to one of the play area Try not the political mess from one folder on
OpenSSL is not gcc-dedpendant. Pretty much any C compiler will work. I'm sure there are compilers out there that are already proven for DoD use.
-molo
Using your sig line to advertise for friends is lame.
That's exactly what I am suggesting.
However, if you've never dealt with the government, you may be assuming the vendor would charge just as much for a pre-approved version as a version in which they have to redo the validation effort. Strangely enough, the government has a person, the Contracting Officer, who should monitor the contract and will (o.k., should) disallow this. Instead, the vendor would be allowed a modest fee for the cost of documentation and any further required testing.
If they are validating the crypto, someone missed the boat twice.
If you look at the 1st two bytes of every ssh-2 block, you will find that the 1st 17 bits must be zero. Since that block is also corresponds to when they key changes happen, you end up with 17 bits of known plain text at the start of every key change which opens it up to many types of attacks. Thats just sloppy crypto.
and they don't inspect code to determine its origin
You'd have to be pretty dense not to notice the origin of the software if the document the vendor hands you for validation says exactly where it comes from. And even denser to allow a vendor to charge a man-year or two's worth of time for validation efforts if the documentation says the software had already been accreditated by the government for the level of security required by the contract.
On the other hand, if they don't use the pre-validated software, then they're unlikely to win the bid to develop the new system, since the competing vendors can undercut them by hundreds of thousands of dollars.
-------
Stepping back, we are not talking at the same level. The article isn't about charging for free software, it's about charging for validating that the free software is secure enough for medical data. Somebody has to do it--either the government does it once and lets the vendors use that accreditation and charge the appropiate amount of fees (which would be measured in man-weeks) or let each and every vendor revalidate the software and pay those vendors for duplicating work over and over again. There isn't some ripoff happening, it's simply the government keeps paying for the same work over and over again because it doesn't reuse the previous validation efforts.
I'm fairly surprised so many people like OpenSSL.
First, it's licence contains an advertising clause. So yes, sure, many (MANY) companies rip off the code of OpenSSL but do not advertise for it on their advertising material, making the use illegal (no big deal until someone at decides to react).
The security history of OpenSSL is fairly poor. It is patched way too often for a security product. The code itself is fairly unreadable. The only really nice thing is OpenSSL are the optimized assembly implementations of the symetric algorithms...
Anyway, I know at least one country in Europe where OpenSSL == (automatic non-validation for the product)...