A more secure, fed-approved OpenSSL
BY TROY K. SCHNEIDER
When the Heartbleed bug was discov- ered in 2014, the federal government largely managed to avoid significant fallout from the OpenSSL vulnerability. But agencies are now faced with a dif- ferent problem: The newer, more secure OpenSSL 1.1 lacks a critical federal validation for cryptographic software.
Using it in federal systems, in fact, would be against the law.
At issue is FIPS 140-2 — a standard set by the National Institute of Stan- dards and Technology and its Canadian counterpart. All federal cryptographic-
based security systems that involve sensitive information must comply with it. And as Steve Marquess, a former president of the OpenSSL Software Foundation who now leads OpenSSL Validation Services, explained in a Sep- tember 2015 blog post, OpenSSL 1.1 was restructured so dramatically that new validation was needed.
That effort is a long and costly pro- cess, and Marquess warned at the time that without government sponsorship, OpenSSL 1.1 could be without a valid FIPS module for the foreseeable future.
On July 20, however, Marquess and SafeLogic CEO Ray Potter announced
that SafeLogic would sponsor the vali- dation. “With changes over the last few years,” Potter wrote in a blog post, “the viability of legacy OpenSSL FIPS mod- ule validations have been repeatedly threatened, and the crypto community simply cannot accept the possibility of being without a certificate.”
SafeLogic, which offers proprietary encryption solutions and conducts FIPS validation for other products, will sponsor the engineering work and then handle the validation effort. Acumen Security will be the testing laboratory, and the OpenSSL Project will do the engineering work. •
GCN AUGUST/SEPTEMBER 2016 • GCN.COM 7