OpenSSL Receives FIPS 140-2 Validation

Argon writes "Close on heals of NewsForge reporting about Government Agency dragging its heels on OpenSSL validation comes the news that OpenSSL receives FIPS Certification. More details are available at the Open Source Institute site which has been driving the effort to get OpenSSL certified. FIPS 140-2 certification allows software using the certified version of OpenSSL to get into various Government departments previously not possible, thus increasing penetration of Free Software in Government."

"Pending" for 2 weeks

[nealmcb]

Congrats and thanks to the team - I can only imagine what a struggle this has been.

From http://www.oss-institute.org/

    Two points to remember please: a) the validation is still considered
    "pending" until it is posted on the NIST site...in no more than 2
    weeks from the announcement date -- NIST official protocol, and b)
    the validation does not immediately solve all FIPS 140-2 compliance
    issues.

The big thing available now is "OpenSSL Security Policy Version 1.0"
    http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf

      This document is required as a part of the FIPS 140-2 validation
      process. It describes the OpenSSL FIPS cryptographic module in
      relation to FIPS 140-2 requirements. The companion document
      OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
      reference for developers using, and system administrators
      installing, the OpenSSL FIPS software, for use in risk assessment
      reviews by security auditors, and as a summary and overview for
      program managers.

The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.

No sign yet of OpenSSL 0.9.7j on the openssl site.

There is an email list available for updates:

  http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org

Annoying license

[duffbeer703]

OpenSSL is one of those cool projects that would be so much cooler if it weren't for the stupid license that makes it a PITA to actually employ in a product.

OpenSSL essentially uses the BSD license w/attribution, which makes it difficult to use with GPLd projects, unless you use the version provided by your distro -- which isn't always desireable.

Re:I assume....

[Schraegstrichpunkt]

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC. If you allow anything else to be used, it is not "FIPS compliant".

Could you cite your sources? From what I can tell, the FIPS 140-2 list of Approved Security Functions includes AES, and Triple-DES, as well as (curiously) DES and Skipjack[1].

For AES, the ciphers can be operated in the ECB, CBC, CFB, OFB, CTR, CMAC, and CCM modes of operation.

Approved hash functions include SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Keyed hashing must be done using HMAC, but you can use various DES MACs, as well as CCM mode, for message authentication.

Interestingly, what this basically means is that FIPS 140-2 compliance does not imply that your system is secure. All it means is that the government can use it.

[1] Can somebody please check this? I vaguely remember DES and Skipjack being withdrawn, but I can't find the documentation for that.

Re:I assume....

[nickovs]

....that there is some way in which you can run OpenSSL in FIPS compliant mode then? Or is it a special FIPS distribution of OpenSSL?

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC.

If you allow anything else to be used, it is not "FIPS compliant".

Two issues. Firstly, AES is acceptable these days for the symmetric cipher and that is supported in TLS. Secondly, the strict requirements about what ciphers are available does not, as far as I know, apply if it's just a FIPS 140-2 level 1 validation which is basically a validation that the FIPS certified ciphers in the library function as required. If they have gone for FIPS 140-2 level 2 then then any key management functionality (such as key wrapping) must use FIPS certified ciphers but one can usually still allow users to use other ciphers. This is important since SSL requires both MD5 and SHA-1 for some of it's obscure MAC functions.

This could be BIG

[$ASANY]

I've noted before that this was the really important missing piece for open-source systems, the other being Commmon Criteria accreditation. In U.S. federal government (and especially DoD) programs, not only do you need to be EAL3 or better, but interoperate with FIPS 140-2 crypto systems in a FIPS 140-2 compliant manner when encryption is used, which is almost all the time. We have open-source systems certified under common criteria, but we couldn't use them with DOD PKI, so the utility of these systems was severely limited.

As a side note, it never seemed as if Microsoft's failure to get CC validations promptly ever slowed down IIS or XP deployments, but it's been a major roadblock for any other systems to get through DITSCAP if there was any possible reason to deny the request.

FIPS accreditation removes the final roadblock for open source in the federal government. Now there is not a single valid policy or security requirement that can block deployments of open source systems.

Also of note is that since anyone can use OpenSSL, small development shops are no longer held hostage to Certicom's expensive licensing schemes if they want to deploy FIPS compliant solutions. It used to be financially daunting to sell software to the government that included crypto, and this created a nice, safe sandbox for the small set of approved vendors to charge outrageous prices for FIPS compliant solutions. Now they have to compete with open source, which will likely bring costs down considerably for anyone required to deploy only FIPS compliant solitions.

Another poster mentioned that this restricted the choice of encryption algorithms to 3DES. That is incorrect. FIPS 140-2 is an AES implementation, specifically because of concerns over 3DES' long-term viability. There are no approved 3DES implementations under FIPS 140-2.

Re:Level 1

[keath_milligan]

It's possible for software to achieve higher than level 1, but you have to presume a standard hardware platform to run it on. They probably just picked a machine that met level 2 physical requirements and ran it through the process using it, so technically, it probably isn't certified unless it is running on that particular machine. This is pretty common.

Re:Level 1

[swillden]

Sort of. To be tested, a software module has to be deployed on some specific piece of hardware conforming to some defined tamper evident/resistant properties. A level 1 certification means that the selected platform didn't have the requisite properties. That doesn't have anything to do with the quality or security of the software, however, it just means that whoever was paying for the certification didn't want to pay for the more expensive hardware and testing.

So I guess I should have said "a software module deployed on any random PC with no special security hardware" can't get higher than level 1.

Re: Mod Reply clueless

[duffbeer703]

The original BSD license included an "Advertising Clause". That advertising clause is incompatabile with the GPL (because it adds additional restrictions to your use and distribution of the software) and is a rather annoying and useless artifact.

The University of California removed the advertising clause in 1999. OpenSSL and its predessessor, SSLeay, require attribution on all marketing material.

Here is the original BSD license... clause 3 is the advertising clause:

* Copyright (c) 1982, 1986, 1990, 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.