September 11, 2007

All systems go for validation of updated OpenSSL module

Author: Lisa Hoover

When the Open Source Software Institute (OSSI) sought Federal Information Processing Standards (FIPS) 140-2 validation for its OpenSSL toolkit last year, it was anything but smooth sailing. In fact, the whole process took so long that by the time it eventually wound its way through the validation process, it was already technically outdated. OSSI has just submitted a new OpenSSL update for FIPS validation but, according to Executive Director John Weathersby, things are bound to go much more smoothly this time around.

FIPS validation of OpenSSL, an open source toolkit that allows programs to securely exchange data in the same fashion as proprietary versions of Secure Sockets Layer encryption, is crucial in order for governmental agencies like the Department of Defense to be able to use it to manage sensitive data. Though the validation process is overseen by the Cryptographic Module Validation Program (CMVP) -- a joint venture between the US National Institute of Standards and Technology (NIST) and the Canadian agency Communications Security Establishment (CSE) -- and typically takes only a few months, testing the previous version of OpenSSL took a whopping five years.

The primary reason for the lengthy process was a steep learning curve after a new testing method was developed to ensure the security of the software. Midway through the validation process, however, the testing agency received anonymous complaints about the validity of the code base, resulting in a long suspension of the project's validation while an investigation was launched. OpenSSL was eventually revalidated. Weathersby says the OSSI has reason to believe the complaints came from proprietary vendors hoping to initiate a FUD campaign that would create doubt in the minds of government agencies who were considering using OpenSSL as a data exchange solution.

It would be reasonable to assume that the OSSI would be leery of encountering similar issues during this validation process, but Weathersby says he's not worried.

"We don't expect the hassle we got the first time around," says a confident Weathersby. "We base that assumption on several things. First, the initial validation was a real ground-breaking experience from a technical and business perspective. [OSSI's Senior Technical Advisor] Steve Marquess and our technical team did a fantastic job addressing the technical challenges with the testing lab and CMVP officials.

"Second, the CMVP put their foot down regarding a lot of the sniping we endured from outside sources during the first go around. Now that the initial validation (certificate #733) has stood on its own for a while and a lot of people -- both vendor and government entities -- have implemented the validated version into their solutions, it proves that the validated open source module is as good as any proprietary solution available. That takes a lot of steam out of the FUD that was being generated by those who did not want to see this succeed.

"So basically, we're now viewed as more of a mainstream product in the system and are going along like all the other products being considered by the testing lab and government validating bodies."

Although the testing process has just begun, the OpenSSL 0.9.8 module and all associated documentation are expected to be released soon under the OpenSSL open source license. Then, in keeping with the core mission of the program, the team will get right back to work on the next update.

"We really wanted to get the next version out to provide the most current, up-to-date solution possible," says Weathersby. "[Our mission is] to get a 'rolling validation' process going so that we constantly have the most current, updated versions of OpenSSL in the validation pipeline.

"The great thing about this is that our Department of Defense sponsors are seeing constant progress and they keep saying, 'OK, good job, now see what you can do with this....' So the program is expanding and growing to include both government and industry participation and support. It really makes all those hard years worth it to see it all come together."


  • News
  • Security
Click Here!