OpenSSL Receives FIPS 140-2 Validation

Argon writes "Close on heals of NewsForge reporting about Government Agency dragging its heels on OpenSSL validation comes the news that OpenSSL receives FIPS Certification. More details are available at the Open Source Institute site which has been driving the effort to get OpenSSL certified. FIPS 140-2 certification allows software using the certified version of OpenSSL to get into various Government departments previously not possible, thus increasing penetration of Free Software in Government."

"Pending" for 2 weeks

[nealmcb]

Congrats and thanks to the team - I can only imagine what a struggle this has been.

From http://www.oss-institute.org/

    Two points to remember please: a) the validation is still considered
    "pending" until it is posted on the NIST site...in no more than 2
    weeks from the announcement date -- NIST official protocol, and b)
    the validation does not immediately solve all FIPS 140-2 compliance
    issues.

The big thing available now is "OpenSSL Security Policy Version 1.0"
    http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf

      This document is required as a part of the FIPS 140-2 validation
      process. It describes the OpenSSL FIPS cryptographic module in
      relation to FIPS 140-2 requirements. The companion document
      OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
      reference for developers using, and system administrators
      installing, the OpenSSL FIPS software, for use in risk assessment
      reviews by security auditors, and as a summary and overview for
      program managers.

The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.

No sign yet of OpenSSL 0.9.7j on the openssl site.

There is an email list available for updates:

  http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org

Annoying license

[duffbeer703]

OpenSSL is one of those cool projects that would be so much cooler if it weren't for the stupid license that makes it a PITA to actually employ in a product.

OpenSSL essentially uses the BSD license w/attribution, which makes it difficult to use with GPLd projects, unless you use the version provided by your distro -- which isn't always desireable.

Re:Annoying license

[nacturation]

You have such a problem giving credit to the people whose work you use? You don't even need to release source if you don't want. Just using it and saying thanks in your documentation and/or credits is all that's required.

So will this end gnutls ?

I mean... I do think it to be good that the market offers multiple solutions to certain issues, freedom of choice is a good thing. However I sometimes don't understand why sometimes people are very desperate to re-invent the wheel "just because". It usually starts with "its not free / open sourced" (as they say about Java), "its too complicated", and I guess there are numerous of other reasons. Don't get me wrong; I'm not claiming that those reasons are nonsense perse.

But what I do find frustrating is when the original software is very usable, has earned its spurs multiple times and as such deserves some credit. Instead people desperatly try to mimick it sometimes, even resulting in an environment which doesn't even come close to working as the original. Resulting in "yet another environment". On Linux for example you can basicly say that it has 2 TLS solutions: openssl and gnutls.

Personally I think this is silly, and basicly no different from what the big companies do. Many people whine about how many different standards there are and how this should be made easier and more free, only to end up doing exactly the same.

Kudo's to openssl! Very impressive and still my personal favorite when it comes to providing SSL based solutions.

Re:So will this end gnutls ?

[juergen]

It is not "just because". Appearantly some people find the license annoying (scroll up slightly for a proof).

You yourself listed beeing not free (enough) as one of the reasons you do not claim nonsense ...

I personally don't mind there beeing 2 projects, if any one dies we still have the other one.

Re:So will this end gnutls ?

[micheas]

However I sometimes don't understand why sometimes people are very desperate to re-invent the wheel "just because".

Think of it as the computer equivilent to a kit car. Impractical and done mainly for the benifit of the person doing it. Every once in a while someone creating a one off car comes up with something really innovative, but most of the time it is just a single persons hobby that no one really cares about.

With the nominal distribution and reproduction cost of software however, each creation has a remote chance of being a market leader.

Observers seem get caught up on market share and conservation on talent, when a lot of computer work is the scale of a really impressive hobby. That is not to say that people do not create software for other reasons. That is obviously false, but writing a *n*x clone from scratch when BSD already existed to get to learn about the 80386 was a waste of time if one only looks at efficiency of resources, but that was not the goal. The goal was to learn about the 80386, Linux having a sizable market share was an unintended consequence that did not factor in its origination.

(I hope this is not way to pedantic, but the we shouldn't waste resources statements seem to get passed around as truth with out any discussion.)

Is the end of RSA Security (the company)?

OpenSSL has long been the choice crypto library for many commercial applications. When such products need to be sold into government they invariably face the issue of FIPS 140-2 certification. Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

Re:Is the end of RSA Security (the company)?

[Halo-]

Let me answer that with a resounding: "Huh?"

Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

FIPS 140-2 is basically a standard correctly and security of an algorithm. OpenSSL implements things like the RSA algorithm, and their implementation has been certified as "safe" for government use to a certain level of assurance. This doesn't have anything to do with RSA Security (the company), SecureID, or anything like that.

RSA the (algorithm) is still very, very much alive and doesn't show any sign of going anywhere for many years. This is due in part to the fact that the only other option is elliptic curve, (ECC) which is patented, and will be for some time to come.

Level 1

[swillden]

The article notes that OpenSSL has achieved level 1, "the lowest of four possible validation levels". It should be noted, however, that level 1 is also the only level achievable by a software implementation. Level 2 requires physical "tamper evidence", which isn't achievable without something physical on which the tampering would be evident. Just for completeness, level 3 and level 4 require different degrees of "tamper resistance".

Re:Level 1

[keath_milligan]

It's possible for software to achieve higher than level 1, but you have to presume a standard hardware platform to run it on. They probably just picked a machine that met level 2 physical requirements and ran it through the process using it, so technically, it probably isn't certified unless it is running on that particular machine. This is pretty common.

Re:Level 1

[swillden]

Sort of. To be tested, a software module has to be deployed on some specific piece of hardware conforming to some defined tamper evident/resistant properties. A level 1 certification means that the selected platform didn't have the requisite properties. That doesn't have anything to do with the quality or security of the software, however, it just means that whoever was paying for the certification didn't want to pay for the more expensive hardware and testing.

So I guess I should have said "a software module deployed on any random PC with no special security hardware" can't get higher than level 1.

Re:I assume....

[Schraegstrichpunkt]

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC. If you allow anything else to be used, it is not "FIPS compliant".

Could you cite your sources? From what I can tell, the FIPS 140-2 list of Approved Security Functions includes AES, and Triple-DES, as well as (curiously) DES and Skipjack[1].

For AES, the ciphers can be operated in the ECB, CBC, CFB, OFB, CTR, CMAC, and CCM modes of operation.

Approved hash functions include SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Keyed hashing must be done using HMAC, but you can use various DES MACs, as well as CCM mode, for message authentication.

Interestingly, what this basically means is that FIPS 140-2 compliance does not imply that your system is secure. All it means is that the government can use it.

[1] Can somebody please check this? I vaguely remember DES and Skipjack being withdrawn, but I can't find the documentation for that.

Re:I assume....

[nickovs]

....that there is some way in which you can run OpenSSL in FIPS compliant mode then? Or is it a special FIPS distribution of OpenSSL?

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC.

If you allow anything else to be used, it is not "FIPS compliant".

Two issues. Firstly, AES is acceptable these days for the symmetric cipher and that is supported in TLS. Secondly, the strict requirements about what ciphers are available does not, as far as I know, apply if it's just a FIPS 140-2 level 1 validation which is basically a validation that the FIPS certified ciphers in the library function as required. If they have gone for FIPS 140-2 level 2 then then any key management functionality (such as key wrapping) must use FIPS certified ciphers but one can usually still allow users to use other ciphers. This is important since SSL requires both MD5 and SHA-1 for some of it's obscure MAC functions.

This could be BIG

[$ASANY]

I've noted before that this was the really important missing piece for open-source systems, the other being Commmon Criteria accreditation. In U.S. federal government (and especially DoD) programs, not only do you need to be EAL3 or better, but interoperate with FIPS 140-2 crypto systems in a FIPS 140-2 compliant manner when encryption is used, which is almost all the time. We have open-source systems certified under common criteria, but we couldn't use them with DOD PKI, so the utility of these systems was severely limited.

As a side note, it never seemed as if Microsoft's failure to get CC validations promptly ever slowed down IIS or XP deployments, but it's been a major roadblock for any other systems to get through DITSCAP if there was any possible reason to deny the request.

FIPS accreditation removes the final roadblock for open source in the federal government. Now there is not a single valid policy or security requirement that can block deployments of open source systems.

Also of note is that since anyone can use OpenSSL, small development shops are no longer held hostage to Certicom's expensive licensing schemes if they want to deploy FIPS compliant solutions. It used to be financially daunting to sell software to the government that included crypto, and this created a nice, safe sandbox for the small set of approved vendors to charge outrageous prices for FIPS compliant solutions. Now they have to compete with open source, which will likely bring costs down considerably for anyone required to deploy only FIPS compliant solitions.

Another poster mentioned that this restricted the choice of encryption algorithms to 3DES. That is incorrect. FIPS 140-2 is an AES implementation, specifically because of concerns over 3DES' long-term viability. There are no approved 3DES implementations under FIPS 140-2.

non-Viral == Annoying???

[mosel-saar-ruwer]

OpenSSL is one of those cool projects that would be so much cooler if it weren't for the stupid license that makes it a PITA to actually employ in a product. OpenSSL essentially uses the BSD license w/attribution, which makes it difficult to use with GPLd projects, unless you use the version provided by your distro -- which isn't always desireable.

Okay, maybe this is a question of semantics, but since when did a non-viral open source license qualify as "annoying"?

Re: Mod Reply clueless

[duffbeer703]

The original BSD license included an "Advertising Clause". That advertising clause is incompatabile with the GPL (because it adds additional restrictions to your use and distribution of the software) and is a rather annoying and useless artifact.

The University of California removed the advertising clause in 1999. OpenSSL and its predessessor, SSLeay, require attribution on all marketing material.

Here is the original BSD license... clause 3 is the advertising clause:

* Copyright (c) 1982, 1986, 1990, 1991, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.

Cool!

[Spy+der+Mann]

I hope now they can use that as a legitimate reason to finish documenting the libraries...

# openssl(1): [STILL INCOMPLETE]
Manual page documenting the openssl command line tool.

# ssl(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL SSL/TLS library.

# crypto(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL Crypto library.

# HOWTO: [STILL INCOMPLETE]
HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.