Content

OpenSSL in a FIPS flap

The leading developer of open source encryption technology reported this week that its government certification was under question for the second time in a year.

Earlier in the week, the Open Source Software Institute (OSSI) said that its Federal Information Processing Standards (FIPS) 140-2 certification had been revoked as per a notice on the website of the National Institute of Standards and Technology (NIST), which administers FIPS certifications. This was causing concern among the security-conscious government users of OpenSSL who are required by law to use FIPS-certified technology to prove a high level of information assurance.

After several days of scrambling, the Cryptographic Module Verification Program (CMVP) of NIST released a statement that the "revoked" status was incorrectly posted and that OpenSSL certification is currently "not available". This means that those already using the technology are in the clear, but new installations may not be made until the certification is available again.

This is the second time in a year that OpenSSL has had issues with its FIPS certification. The cryptographic standard had received certification in January and had it revoked within a few days. By March it had again received certification, until late Friday when questions again arose. It is rare for certifications to be yanked once they've gotten the all clear, said John Weathersby, executive director of the OSSI.

He believes that OpenSSL's checkered certification past highlights a political struggle between the open source movement and other proprietary vendors who want to block OpenSSL's availability as an alternative in the high assurance security market.

"There are a few corporate entities that pretty much dominate this market," he said. "The big story here is that (OpenSSL) is upsetting the applecart. I do believe that there are proprietary people that are working desperately because they have a lot to lose, and that's just business."

He believes that many of the issues brought up by CMVP during the certification process are the result of outside pressure. He thinks others in the market have focused intense scrutiny on the publicly-available OpenSSL source code and then henpecked the certification body with complaints.

"We are well aware that the opposing side has the luxury of going through everything we've done and being able to cherry pick problems (and report them)," he said. "We don't think that CMVP has the firs t malicious intent, we believe that they are trying to do their job.

Those in the proprietary encryption market have been critical of open source. They say that problems that have come up over the course of Open SSL's quest for certification stem from the nature of open source. They believe that if the code is available to anyone, this means even the bad guys can exploit the weaknesses in the widely-propagated code, so OpenSSL proponents shouldn't be surprised if their code is scrutinized.

"The very nature of open source code means that it's accessible by any number of people," said George Adams, CEO of SSH Communications Security.

But Weathersby disagreed, saying that if OpenSSL is going to be scrutinized down to the source code then the proprietary vendors should be held to the same standards, which he does not believe is happening. He also says that the issue regarding black hat access to the code is not a problem.

"The FUD in that is that the bad guys can come in and figure out how it works and slip something in," he said. "Well, I tell you what, if it is just you writing a module then you've got to be smarter than everybody. If we write it collectively and everybody gets a chance to look at it, then we collectively are smarter and more apt to catch any holes."

Still, Adams believes that the questions surrounding OpenSSL's FIPS certification highlight concerns over its suitability in the government market and among large enterprises.

"People have begun to question if they should really be using open source for security, because there's been a track record of many more vulnerabilities reported," Adams said. "When there is a vulnerability, who do you call? You really need a partner that you can call and have a fixed response time, not just rely on the community to get interested in fixing the problem."

But Weathersby said those arguments aren't valid.

"George has been spreading that around, but that does not hold water. That just besmirches the whole OpenSSL community," he said, pointing to high-level Department of Defense (DoD) users who swear by OpenSSL. "The DoD does not rely on the kindness of strangers. If you think that there isn't an organized structure (to the community), that there's no governance, then you are foolish."

Weathersby said that now that the initial scare over the brief "revoked" status over, the the OpenSSL labs run by the OSSI can focus on pushing a final certification through that will stick this time. The lab is set to submit final fixes regarding the last batch of technical issues by the end of the week. He hopes that is all that will be needed to bring some closure to the ordeal.

"We've been doing this for three and a half years and every time we have submitted something the rules just seem to change," he said. "At some point you have to say 'yes' or 'no.' You cannot keep dragging this out."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.