By Joab Jackson
Agencies setting up sensitive virtual private networks now have an
The National Institute of Standards and Technology has certified
OpenSSL, an open-source library of encryption algorithms, as meeting
Federal Information Processing Standard 140-2 Level 1 standards,
according to the Open Source Software Institute of Hattiesburg, Miss.
"This validation will save us hundreds of thousands of dollars," said
Debora Bonner, operations director for the Defense Department's
Defense Medical Logistics Standard Support program, in a statement.
"Multiple commercial and government entities, including [the Defense
Department's] Medical Health System, have been counting on this
validation to avoid massive software licensing expenditures."
Federal agencies must use FIPS-compliant products to secure networks
carrying unclassified sensitive data. The FIPS certification of
OpenSSL opens the possibility of using an SSL-based VPN to carry
sensitive data, according to Peter Sargent, who heads the Severna
Park, Md.-based PreVal Specialist Inc., one of the companies that
supported the validation process.
Traditionally, agencies wishing to set up a VPN for sensitive data
would use an approach that involved a secret key implementation of a
cryptographic module, which is more expensive to implement and has
limited the number of smaller companies that can provide such a
product, Sargent said.
Sargent added that few agencies would directly deploy OpenSSL FIPS.
Rather, they would purchase OpenSSL-based VPN products from vendors.
To accompany the release, OSSI has published a guidebook, The OpenSSL
Security Policy Version 1.0, describing how the OpenSSL cryptographic
module works in relation to FIPS 140-2 requirements. The organization
also plans to issue a users' guide within two weeks, according to John
Weathersby, executive director of OSSI.
Agencies will also find support from a December 2005 update of NIST's
Implementation Guidance for FIPS PUB 140-2 and the Cryptographic
Module Validation Program. The document addresses how users can deploy
a program with FIPS modules across multiple platforms.
The cryptographic module of OpenSSL (SSL stands for Secure Sockets
Layer) consists of an open-source implementation of SSL encryption -
originally created by Netscape Communications Corp. - as well as a
Transport Layer Security module.
SSL and TLS are security protocols that browsers and other software
can utilize to encrypt and decrypt Web pages and sensitive data. In
order to be FIPS-approved, it is necessary to limit the SSL-based
implementation to the TLS mode, Sargent said.
The volunteer-led OpenSSL project oversees the development of OpenSSL.
The team has made the module and source code available at the
project's Web site under an Apache-style license permitting free
NIST validated the library cryptographic module contained in Version
0.9.7j of OpenSSL-FIPS as a validation process only for encryption
modules, not entire software packages. The OpenSSL-FIPS library
cryptographic module uses the Advanced Encryption Standard, the Data
Encryption Standard, the Digital Signature Algorithm, FIPS-mode RSA
for signatures, as well as the FIPS-qualified approved Secure Hash
Algorithm-1, or SHA-1.
In addition to PreVal, OSSI and DMLSS, Hewlett-Packard Co. of Palo
Alto, Calif., and the Domus IT Security Laboratory of Ottawa sponsored
the FIPS testing for OpenSSL.
InfoSec News v2.0 - Coming Soon!