OpenSSL is an open source toolkit that allows programs to securely exchange data in the same fashion as proprietary versions of Secure Sockets Layer encryption. The NIST's Computer Module Validation Program for FIPS-140-2 is used to validate and certify cryptographic programs that government agencies use to protect sensitive information. Earlier this year, OpenSSL was one of the first products to be validated by the NIST after formal testing in one of its 13 accredited labs. But OpenSSL developers were stunned last month to learn that the product's validation had suddenly been suspended without explanation. Developers immediately began working on making changes that would allow the program to be revalidated.
Then, on July 14, John Weathersby, executive director of Open Source Software Institute, which manages the project, received a startling after-hours phone call. The Cryptographic Module Validation Program (CMVP), a division of NIST, had revoked the program's certification entirely.
By Tuesday of last week, however, the CMVP reverted OpenSSL's validation back to "suspended" once more. Officials at CMVP could not be reached for comment.
"The validation was [originally] suspended because anonymous vendors filed extensive complaints," said Weathersby. He thinks the companies that filed the complaints "have proprietary products of their own and this validation would threaten their business model. That validation is a barrier to entering this market if your product doesn't have it."
Weathersby said the developers looked at the issues raised in the complaint prior to resubmitting it for testing and revalidation on June 16. According to a statement on Open Source Software Institute's Web site, the only substantive change to OpenSSL's code was to "[shuffle] the object modules in the original OpenSSL-fips-1.0.tar.gz distribution to create a new larger fipscanister.o module that eliminates all OpenSSL references."
Though it is not known exactly when the certificate will be revalidated, Steve Marquess, OSSI technical program lead, says it could happen anytime. "It could be a couple of days or many months," he said, "but I expect to see it sooner rather than later."
Marquess based that prediction on the lab's relatively quick turnaround time while retesting the program, a process known to be arduous under the best circumstances. Once the lab has completed testing, the results generate a tremendous amount of paperwork, which is then shipped to CMVP for review. Working with limited staff, it can take months for CMVP to make validation decisions.
Marquess said adding to the time lag was the fact that the lab opted to retest the entire program, rather than just the portion that was changed. "The lab did a complete review, from soup to nuts, even though there were no fundamental changes," he said. Since each cryptographic algorithm requires its own test, the process can be anything but short.
A learning process
Though the process of keeping OpenSSL available for its users has been unpredictable at times, John Weathersby says it has been a learning process for everyone.
"CMVP is trying to do the right thing, but they're learning as they go along and they have to learn to address this open source phenomenon," he said. "But they're trying." Weathersby also says criticism from detractors of OpenSSL can only benefit the program. "Open source is transparent by nature and that helps strengthen our case. Criticism enables us to fix issues and make the product stronger."
Even the volunteers, who Weathersby says have put "hundreds upon hundreds of hours into this, along with their blood, sweat, and tears," have learned a thing or two along the way. "We've been on a roller coaster with all of this for so long that if we didn't have patience before, we sure learned it."
There is a chance that CMVP will send OpenSSL back to the drawing board, but Weathersby said, "We are totally confident that it will be reinstated."
"It's been a lot of hoopla and a knife fight," said Weathersby, "but it's working out."