[ISN] Open Source encryption module loses FIPS certification

From: InfoSec News (alerts@private)
Date: Mon Jul 17 2006 - 22:46:03 PDT


By William Jackson
GCN Staff

The National Institute of Standards and Technology has revoked 
certification of the open-source encryption tool OpenSSL under the Federal 
Information Processing Standard.

OpenSSL in January became one of the first open-source software products 
to be validated under NISTs Computer Module Validation Program for 
FIPS-140-2. The certificate apparently was suspended in June when 
questions were raised about the validated modules interaction with outside 
software elements.

The revocation caught the Open Source Software Institute, which shepherded 
the module through the validation process, by surprise.

I am discouraged with what appears to be another change after 
certification has been awarded, said executive director John Weathersby. 
It is disheartening after three-and-a-half years of work to have the 
certification pulled twice for reasons not clear to us.

On July 14 the CMVP Web site listed the OpenSSL certificate 642 as 
revoked. On Monday it was listed as not available. A statement from CMVP 
supervisor Randy Easter indicated there is no distinction between the two 

If a validation certificate is marked as revoked or not available, the 
module validation is no longer valid, the statement said.

FIPS-140-2 certification is required for cryptographic products used by 
agencies for unclassified but sensitive information. OpenSSL is an 
open-source version of Secure Sockets Layer encryption that can be used by 
browsers and other programs to securely exchange data.

The option of using an open-source tool could save agencies money in 
software licensing fees.

Our biggest advocate at this point is the Defense Information Systems 
Agency, Weathersby said. They are using it.

An official with the Defense Departments Defense Medical Logistics 
Standard Support program told GCN when certification was granted that 
OpenSSL could save the program hundreds of thousands of dollars.

Weathersby said OpenSSL has been challenged by companies with competing 
proprietary encryption technologies, and that those challenges are aided 
by the open-source model, which makes source code for the tools publicly 

Now the opposing forces have the luxury of going in and trying to pick us 
apart, he said. Thats fine. Thats fair. This is about dollars and cents. 
This is not about technology.

Those challenges apparently resulted in the original suspension in June. 
Weathersby said problems had been corrected in the module and the 
workaround submitted to the certifying laboratory, Domus IT Security 
Laboratory of Ottawa, for re-evaluation. He had been expecting CMVP to 
evaluate the lab results and reinstate the certificate when the notice of 
revocation was published on the Web site.

NIST is not saying why the certificate was removed.

The CMVP does not provide information regarding the status or reason as in 
many cases it may be proprietary, Easter said in his statement.

Weathersby said OSSI would challenge the revocation and has lined up 
funding to pursue recertification.

We are by no means giving up on this, he said. We are frustrated by the 
process, but we are not quitting.

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Mon Jul 17 2006 - 22:57:16 PDT