OpenSSL Receives FIPS 140-2 Validation

Argon writes "Close on heals of NewsForge reporting about Government Agency dragging its heels on OpenSSL validation comes the news that OpenSSL receives FIPS Certification. More details are available at the Open Source Institute site which has been driving the effort to get OpenSSL certified. FIPS 140-2 certification allows software using the certified version of OpenSSL to get into various Government departments previously not possible, thus increasing penetration of Free Software in Government."

Re:

[account_deleted]

Comment removed based on user account deletion

"Pending" for 2 weeks

[nealmcb]

Congrats and thanks to the team - I can only imagine what a struggle this has been.

From http://www.oss-institute.org/ [oss-institute.org]

    Two points to remember please: a) the validation is still considered
    "pending" until it is posted on the NIST site...in no more than 2
    weeks from the announcement date -- NIST official protocol, and b)
    the validation does not immediately solve all FIPS 140-2 compliance
    issues.

The big thing available now is "OpenSSL Security Policy Version 1.0"
    http://oss-institute.org/images/OpenSSL_SecurityPo licy_FINAL.pdf [oss-institute.org]

      This document is required as a part of the FIPS 140-2 validation
      process. It describes the OpenSSL FIPS cryptographic module in
      relation to FIPS 140-2 requirements. The companion document
      OpenSSL FIPS 140-2 User Guide (Reference 14)is a technical
      reference for developers using, and system administrators
      installing, the OpenSSL FIPS software, for use in risk assessment
      reviews by security auditors, and as a summary and overview for
      program managers.

The "validated OpenSSL USER GUIDE" will be available within two weeks
of the announcement date.

No sign yet of OpenSSL 0.9.7j on the openssl site.

There is an email list available for updates:

  http://mail.oss-institute.org/mailman/listinfo/fip s-nist-update_oss-institute.org [oss-institute.org]
 

Annoying license

[duffbeer703]

OpenSSL is one of those cool projects that would be so much cooler if it weren't for the stupid license that makes it a PITA to actually employ in a product.

OpenSSL essentially uses the BSD license w/attribution, which makes it difficult to use with GPLd projects, unless you use the version provided by your distro -- which isn't always desireable.

non-Viral == Annoying???

[mosel-saar-ruwer]

OpenSSL is one of those cool projects that would be so much cooler if it weren't for the stupid license that makes it a PITA to actually employ in a product. OpenSSL essentially uses the BSD license w/attribution, which makes it difficult to use with GPLd projects, unless you use the version provided by your distro -- which isn't always desireable.

Okay, maybe this is a question of semantics, but since when did a non-viral open source license qualify as "annoying"?

Re:non-Viral == Annoying???

[frodo from middle ea]

On that note, name one "VIRAL" open source license.

Re:non-Viral == Annoying???

[TheRaven64]

The advertising clause has been dropped by the rest of the BSD community, including the original BSD code base. It is unworkable, since it requires you to advertise every piece of code you use that uses the clause. Eventually you end up with such a large number of other people's adverts on your promotional material that people can't see what you are actually advertising. The addition of this clause to the license was the reason the entire F/OSS community ditched XFree86 in favour of x.org.

Re:non-Viral == Annoying???

[swillden]

Okay, maybe this is a question of semantics, but since when did a non-viral open source license qualify as "annoying"?

The OpenSSL license is just as "viral" as the GPL (actually, it's copyright that's viral, but I'll ignore that). The attribution clause "infects" any software which uses OpenSSL. In many cases, OpenSSL's restriction is less constraining than the restrictions in the GPL, but it is a restriction, and it does annoy some people -- mainly those using free software licenses that don't allow t

Mod parent uninformative

[ivoras]

Can you quote paragraph against paragraph, side by side, why are those two licenses incompatible? Which paragraph in the GPL license prevents use of BSD licenseed code inside a GPL project?!

BSD License is strictly less demanding, and you CAN use any BSD library or project inside a GPL project without ANY problems with licenses. This is because BSD License doesn't prevent distribution of source code with a product, and GPL requires it. BSD License doesn't care about the software-is-free dogma thingy in the

Re: Mod Reply clueless

[duffbeer703]

The original BSD license included an "Advertising Clause". That advertising clause is incompatabile with the GPL (because it adds additional restrictions to your use and distribution of the software) and is a rather annoying and useless artifact.

The University of California removed the advertising clause in 1999. OpenSSL and its predessessor, SSLeay, require attribution on all marketing material.

Here is the original BSD license... clause 3 is the advertising clause:

* Copyright (c) 1982, 1986, 1990, 1

Re: Mod Reply clueless

[ivoras]

http://www.gnu.org/philosophy/bsd.html [gnu.org]
Though it's inconvenient, I don't see how the clause makes it strictly incompatible with GPL. Anyone know why it says so in http://www.gnu.org/philosophy/license-list.html [gnu.org] ?

Re: Mod Reply clueless

[duffbeer703]

The thing that should jump out at you is this passage from your first link:

"NetBSD comes with a long list of different sentences, required by the various licenses for parts of the system. In a 1997 version of NetBSD, I counted 75 of these sentences. I would not be surprised if the list has grown by now."

Say Apache required those 75 attribution sentences, and say someone at IBM working on the IBM HTTP server (based on Apache) erroneously mangled or deleted a few of those attributions. Now IBM can be sued for

Re: Mod Reply clueless

[Intron]

No. IBM could not be sued. You could write them a nice letter (or a nasty one if you prefer) and they would fix their distribution. If they refused to fix their distribution (unlikely) then you could sue. But in US courts, you can't sue until you have shown that the defendent is refusing to comply with your legitimate request.

Besides, which is more restrictive, the "obnoxious BSD advertising clause" or the GPL "conspicuously" clause?

You may copy and distribute verbatim copies of the Program's sour

Re: Mod Reply clueless

[ivoras]

I'm still waiting for a quote from the GPL where it says it's incompatible with the advertising clause...

Re: Mod Reply clueless

[ivoras]

From the GPL (as other people have noticed also):

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

Is this different, and why?

Re:Annoying license

[nacturation]

You have such a problem giving credit to the people whose work you use? You don't even need to release source if you don't want. Just using it and saying thanks in your documentation and/or credits is all that's required.
 

Re:Annoying license

[pyite69]

Are you serious? The artistic license allows you to copy the code and put a GPL license on it if you want... there is no issue at all.

So will this end gnutls ?

[Anonymous Coward]

I mean... I do think it to be good that the market offers multiple solutions to certain issues, freedom of choice is a good thing. However I sometimes don't understand why sometimes people are very desperate to re-invent the wheel "just because". It usually starts with "its not free / open sourced" (as they say about Java), "its too complicated", and I guess there are numerous of other reasons. Don't get me wrong; I'm not claiming that those reasons are nonsense perse.

But what I do find frustrating is when

Re:So will this end gnutls ?

[Slashcrap]

But what I do find frustrating is when the original software is very usable, has earned its spurs multiple times and as such deserves some credit. Instead people desperatly try to mimick it sometimes, even resulting in an environment which doesn't even come close to working as the original. Resulting in "yet another environment". On Linux for example you can basicly say that it has 2 TLS solutions: openssl and gnutls.

I know it's terrible isn't it? You've got FreeBSD, NetBSD, OpenBSD and all the others - wha

Re:So will this end gnutls ?

[juergen]

It is not "just because". Appearantly some people find the license annoying (scroll up slightly for a proof).

You yourself listed beeing not free (enough) as one of the reasons you do not claim nonsense ...

I personally don't mind there beeing 2 projects, if any one dies we still have the other one.

Re:So will this end gnutls ?

[micheas]

However I sometimes don't understand why sometimes people are very desperate to re-invent the wheel "just because".

Think of it as the computer equivilent to a kit car. Impractical and done mainly for the benifit of the person doing it. Every once in a while someone creating a one off car comes up with something really innovative, but most of the time it is just a single persons hobby that no one really cares about.

With the nominal distribution and reproduction cost of software however, each creation has a

Is the end of RSA Security (the company)?

[Anonymous Coward]

OpenSSL has long been the choice crypto library for many commercial applications. When such products need to be sold into government they invariably face the issue of FIPS 140-2 certification. Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

Re:Is the end of RSA Security (the company)?

[Halo-]

Let me answer that with a resounding: "Huh?"

Does an OpenSSL FIPS 140-2 module signal the end of RSA Security. Other than their SecureID tokens RSA do not seem to have a lot more to offer.

FIPS 140-2 is basically a standard correctly and security of an algorithm. OpenSSL implements things like the RSA algorithm, and their implementation has been certified as "safe" for government use to a certain level of assurance. This doesn't have anything to do with RSA Security (the company), SecureID, or anythin

YAY

[mnmn]

YAY. Woohoo! Go OSS!

What is FIPS Validation?

I assume....

[Slashcrap]

....that there is some way in which you can run OpenSSL in FIPS compliant mode then? Or is it a special FIPS distribution of OpenSSL?

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC.

If you allow anything else to be used, it is not "FIPS compliant".

Re:I assume....

[Schraegstrichpunkt]

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC. If you allow anything else to be used, it is not "FIPS compliant".

Could you cite your sources? From what I can tell, the FIPS [nist.gov] 140-2 [nist.gov] list of Approved Security Functions [nist.gov] includes AES, and Triple-DES, as well as (curiously) DES and Skipjack[1].

For AES, the ciphers can be operated in the ECB, CBC, CFB, OFB, CTR [nist.gov], CMAC [nist.gov], and CCM [nist.gov] modes of operation.

Approved hash functions include SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512. Keyed hashing must be done using HMAC, but you can use various DES MACs, as well as CCM mode, for message authentication.

Interestingly, what this basically means is that FIPS 140-2 compliance does not imply that your system is secure. All it means is that the government can use it.

[1] Can somebody please check this? I vaguely remember DES and Skipjack being withdrawn, but I can't find the documentation for that.

Re:I assume....

[Slashcrap]

Could you cite your sources?

Memory, which in this case appears to have been slightly faulty.

Anyway, my point was that OpenSSL supports an awful lot of stuff that you're not going to be able to use in a FIPS compliant system.

How is that going to be handled? Some kind of switch or a separate distribution? I know that where I work we have our own distribution of OpenSSL without any of the funky ECC stuff (because it's patented up the wazoo by Certicom and we don't want to get sued) or the really weak algorithm

Re:

[account_deleted]

Comment removed based on user account deletion

Re:I assume....

[nickovs]

....that there is some way in which you can run OpenSSL in FIPS compliant mode then? Or is it a special FIPS distribution of OpenSSL?

Because under FIPS, the only allowable algorithms are 3DES-CBC for encryption and SHA1 for HMAC.

If you allow anything else to be used, it is not "FIPS compliant".

Two issues. Firstly, AES is acceptable these days for the symmetric cipher and that is supported in TLS. Secondly, the strict requirements about what ciphers are available does not, as far as I know, apply if it's just a FIPS 140-2 level 1 validation which is basically a validation that the FIPS certified ciphers in the library function as required. If they have gone for FIPS 140-2 level 2 then then any key management functionality (such as key wrapping) must use FIPS certified ciphers but one can usually still allow users to use other ciphers. This is important since SSL requires both MD5 and SHA-1 for some of it's obscure MAC functions.

Level 1

[swillden]

The article notes that OpenSSL has achieved level 1, "the lowest of four possible validation levels". It should be noted, however, that level 1 is also the only level achievable by a software implementation. Level 2 requires physical "tamper evidence", which isn't achievable without something physical on which the tampering would be evident. Just for completeness, level 3 and level 4 require different degrees of "tamper resistance".

Re:Level 1

[nickovs]

he article notes that OpenSSL has achieved level 1, "the lowest of four possible validation levels". It should be noted, however, that level 1 is also the only level achievable by a software implementation. Level 2 requires physical "tamper evidence"

This is not the case. There are several software implementations that have achieved FIPS 140 level 2 validation, more notably the Netscape Security Services (NSS) library which is now maintained by the Mozilla team: http://www.mozilla.org/projects/security/pki/ [mozilla.org]

Re:Level 1

[keath_milligan]

It's possible for software to achieve higher than level 1, but you have to presume a standard hardware platform to run it on. They probably just picked a machine that met level 2 physical requirements and ran it through the process using it, so technically, it probably isn't certified unless it is running on that particular machine. This is pretty common.

Re:Level 1

[swillden]

Sort of. To be tested, a software module has to be deployed on some specific piece of hardware conforming to some defined tamper evident/resistant properties. A level 1 certification means that the selected platform didn't have the requisite properties. That doesn't have anything to do with the quality or security of the software, however, it just means that whoever was paying for the certification didn't want to pay for the more expensive hardware and testing.

So I guess I should have said "a software

This could be BIG

[$ASANY]

I've noted before [slashdot.org] that this was the really important missing piece for open-source systems, the other being Commmon Criteria accreditation. In U.S. federal government (and especially DoD) programs, not only do you need to be EAL3 or better, but interoperate with FIPS 140-2 crypto systems in a FIPS 140-2 compliant manner when encryption is used, which is almost all the time. We have open-source systems certified under common criteria, but we couldn't use them with DOD PKI, so the utility of these systems was severely limited.

As a side note, it never seemed as if Microsoft's failure to get CC validations promptly ever slowed down IIS or XP deployments, but it's been a major roadblock for any other systems to get through DITSCAP if there was any possible reason to deny the request.

FIPS accreditation removes the final roadblock for open source in the federal government. Now there is not a single valid policy or security requirement that can block deployments of open source systems.

Also of note is that since anyone can use OpenSSL, small development shops are no longer held hostage to Certicom's expensive licensing schemes if they want to deploy FIPS compliant solutions. It used to be financially daunting to sell software to the government that included crypto, and this created a nice, safe sandbox for the small set of approved vendors to charge outrageous prices for FIPS compliant solutions. Now they have to compete with open source, which will likely bring costs down considerably for anyone required to deploy only FIPS compliant solitions.

Another poster mentioned that this restricted the choice of encryption algorithms to 3DES. That is incorrect. FIPS 140-2 is an AES implementation, specifically because of concerns over 3DES' long-term viability. There are no approved 3DES implementations under FIPS 140-2.

Cool!

[Spy der Mann]

I hope now they can use that as a legitimate reason to finish documenting [openssl.org] the libraries...

# openssl(1): [STILL INCOMPLETE]
Manual page documenting the openssl command line tool.

# ssl(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL SSL/TLS library.

# crypto(3): [STILL INCOMPLETE]
Manual page documenting the OpenSSL Crypto library.

# HOWTO: [STILL INCOMPLETE]
HOWTO documents to introduce concepts or explain them in a way that is not possible in the manuals.

Free Software "penetration"

[raddan]

It's about time we finally penetrated the government. They've been fucking us for years.

Why no 1.0

[Vellmont]

OpenSSL is one of the most widely used pieces of software out their. Why is it still at version 0.9.x? I don't understand why this well proven pieces of software STILL hasn't decided that it's good enough for a 1.0 release. Can somone explain the version number strangeness?

Church of Newsforge

[StikyPad]

Newsforge is healing people? Hallelujah!