21 July 2006, 15:26

Confusion over US security certification of OpenSSL

There is much ado with the certification of OpenSSL - first it was pulled, now it's supposedly back again. OpenSSL in fact did not have its FIPS certification revoked, reports Steve Marquess, the OpenSSL validation project leader at the Open Source Software Institute (OSSI). In fact, the certification was only briefly suspended over the course of a new evaluation of the newly linked version 1.1. The notification of annulment of the certification was published solely through an oversight.

In March 2006, OpenSSL became one of the first open source solutions to be inspected as part of the Computer Module Validation Program (CMVP) from the US National Institute of Standards and Technology (NIST). Evaluated with the Federal Information Processing Standard (FIPS), it was certified as meeting FIPS-140-2. This authorized it to be used by government agencies and organizations for the processing of sensitive but not classified data. Certified and cost-free open source products could save US agencies an enormous sum of money. One proponent is the Defense Information Systems Agency (DISA) of the US Department of Defense, the OSSI claims.

A report surfaced last week that the certificate had been revoked due to problems with the encapsulization of a module. This was followed by a note on the CMVP website that the certificate had been revoked, and afterwards it was no longer accessible. The certificate (PDF) is currently still unavailable for download.

In the meantime, the problems that led to the confusion have been resolved, the OSSI reports, and new evaluation results are expected. That said, there remains some doubt on the OpenSSL developer mailing list whether the problems could be eliminated so quickly. The affected section of code calls external functions that lead to security problems. There are also problems with the implementation of the DES encryption algorithm.