In association with heise online

02 July 2012, 16:38

OpenSSL 1.0 now with FIPS certification

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A FIPS 140-2 certificate is an entry requirement for many projects: there is often no way around the US government's "Security Requirements for Cryptographic Modules", particularly for government contractors. The American National Institute of Standards and Technology (NIST), as the responsible certifying body, has now, at least to an extent, approved version 1.0 of the popular OpenSSL crypto library.

The certificate doesn't cover the OpenSSL library itself, it is only valid for the OpenSSL FIPS Object Module, which offers a specific subset of OpenSSL features. Among other things, it disables various widely used but not FIPS-compliant algorithms such as Blowfish, CAST, IDEA and RC4/5. Migrating software which uses OpenSSL to FIPS-compliant libraries is, however, meant to be relatively easy.

The OpenSSL certification is special because this type of certificate usually applies to ready-to-use, executable program packages; in this case, NIST has certified the source code. The certificate, however, is only valid if executable code is generated from the validated, unchanged source code according to a precisely documented methodPDF. Problems may arise if security holes are found in the certified code; even if the developers release a patch to close a hole, users could lose their certification by installing it. A similar situation already occurred with a previous version of the OpenSSL FIPS Object Module.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit