The Cryptographic Module Validation Program (CMVP), a joint effort of the US and Canadian governments, approved the validation of the OpenSSL open source security toolkit for implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols on Friday.
OpenSSL is already in use by companies and organizations around the world. However, validation that the toolkit meets the Federal Information Processing Standard (FIPS) 140-2 regulations means that US and Canadian government agencies that handle sensitive data can use the free, open source security software.
The CMVP is run by the US National Institute for Standards and Technology (NIST) and Canada's Communications Security Establishment (CSE) to provide testing of cryptographic modules in accredited labs, which makes sure that security software does what it is designed to do every time it's used, based on the FIPS standards.
While not yet officially validated, CMVP Director Randy Easter said validation of the open source software "is a done deal." OpenSSL is now in the finalization stage of the CMVP pre-validation process. Although a certificate must be printed and signed by representatives of both NIST and CSE, Easter said the certificate could be signed, and the validation official, as early as next week.
This would be the first open source cryptographic module to be validated, Easter said.
According to a draft of the validation certificate, when compiled, installed, and implemented following the specifications in the document, OpenSSL meets requirements to protect sensitive government information. The toolkit was granted Level 1 approval, the lowest of four possible validation levels, in nine of the 11 categories the module was tested for.
In reviewing the modules, the DOMUS IT Security Lab tested OpenSSL implementation in configurations of SUSE Linux 9.0 and HP-UX 11i single-user mode, though the validation applies to all uses of the toolkit so long as the CMVP implementation guidelines have been followed.
"What this does is put OpenSSL on a level playing field with all other cryptographic modules ... and knocks down enormous boundaries," said John Weathersby, executive director of the Open Source Software Institute (OSSI), which helped the project in its validation effort. "[This validation] will shake up the industry."
Weathersby said that by meeting the government's high threshold for security software "nobody can say that this open source component is not good enough."
The effort to get OpenSSL validated under the FIPS guidelines has been in progress since late 2003, and had been slowed by a lack of experience in validating open source software.
According to Chris Brych, FIPS-140 program manager at DOMUS, the OpenSSL validation posed new challenges in checking it for conformance to requirements because the testing process was not as simple as running the software. Since the source code is freely available, the validation was a proof-of-concept in the event that users decide to compile the toolkit themselves rather than opting for a precompiled version.
Having defined a process for the review of a module that is distributed as source code, Brych said the methodology of review for open source software developed during the OpenSSL review process answered questions the CMVP had about delivery of the module and its performance in integrity tests.
"As with any module, there certainly were a number of things in the review process that crop up along the way that need reviewing," Easter said.
While not able to provide specific details because of CMVP policy, Easter said the agency had two principle concerns which are unique to an open source validation: design assurance, which refers to the actual operation of a module after a vendor constructs and ships it; and that the module does not change when it is used.
"Open source [software] is unique in that you're providing source files that anyone can download and ultimately construct the module from," Easter said. "Once you actually construct the module, as presented to us, there were many questions as far as the compiled result in relation to other applications and processes that would work in conjunction with this module. And as originally presented, that took some time to understand."
With proprietary products shipped in their final form by vendors, compilation standards are in place, as well as integrity checks and signature codes which make sure software code does not change upon each use, Easter said. Since OpenSSL is not the product of a single vendor releasing a single version of the software, the assurances, both in the software and by the CMVP in validating it, were different.
"In the world of security, any change can modify the operation of the module in a secure manner," Easter said. "Which is why any change in a module, even one bit, invalidates the module."
Weathersby said the validation will not only offer OSSI more credibility in seeking confirmation that open source software meets requirements as strong as those in the FIPS document, but it proves that the open source community can compete with corporations on a level of quality as well as cost.
"We were told it couldn't be done," Weathersby said. "This is a classic example of the open source community working together to achieve something that people said only a corporation could do."