Security Validation of OpenSSL Encryption Tool Uncertain

Computerworld - A joint U.S. and Canadian organization that certifies encryption tools for use by federal government agencies has suspended its validation of OpenSSL cryptographic technology for the second time in less than six months.

The decision means that government agencies for the two countries can't purchase the tool for the time being, although those that have already done so will still be allowed to use it. OpenSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security protocols. It is widely used to encrypt and decrypt data on the Internet.

The decision to suspend validation of the tool came just two days after the group doing the validation, the Cryptographic Module Validation Program (CMVP) at the National Institute of Standards and Technology (NIST), had taken the harsher step of rejecting the tool entirely.

News of the rapid changes to the validation effort drew criticism from the Open Source Software Institute (OSSI), a nonprofit group in Hattiesburg, Miss., trying to get the Open-SSL encryption module validated for government use. John Weathersby, the OSSI's executive director, alleged that the move appears to have been influenced by vendors of proprietary technologies that stand to lose a lucrative market if an open-source alternative is certified.

"There are some vendors fighting like hell to make this die, and I can see why," said Weathersby. "This is not a technology issue; this is a political issue."

In January, OpenSSL received its precedent-setting validation from the CMVP, which is charged with validating and certifying that cryptographic tools sold to government agencies meet the requirements of the Federal Information Processing Standard (FIPS) Publication 140-2.

Currently, agencies looking for encryption capabilities spend hundreds of thousands -- and in some cases millions -- of dollars licensing proprietary cryptographic tools.

In an e-mailed statement, NIST confirmed the "not-available" status but offered no reasons for it.

Already, the OSSI has been required to make a continuing series of tweaks to OpenSSL at the request of the CMVP, said Steve Marquess, the open-source group's validation project manager.

Part of the problem stems from the fact that the FIPS requirements were written for hardware-based encryption tools, while OpenSSL is software-based. As a result, mapping the FIPS requirements to OpenSSL has been challenging, Marquess said.

Vendors of commercial products have also raised a constant stream of technology-related questions that have proved time-consuming to address, Marquess said.

George Adams, president and CEO of SSH Communications Security Inc., a Wellesley, Mass.-based vendor of encryption products, said that concerns about the use of OpenSSL in government environments are valid. As an open-source tool, OpenSSL is subject to constant changes that would invalidate its certification on a regular basis, he said.