OpenSSL loses FIPS 140-2 Certification (Or Not)

OhHellWithIt writes "Government Computer News reported on Tuesday that OpenSSL has lost FIPS 140-2 certification, only six months after receiving it. It sounds like bad news for those of us who would like to see open source gain more of a foothold in U.S. federal workplaces." Readers have updated this story with an update saying the certification has shifted again.

I'm guessing

[PunkOfLinux]

I'm guessing that this certification is necessary if you want your product to be used in the federal government, right???

Re:I'm guessing

[Ana10g]

That, and a myriad of other certifications... I think they make up certifications so that politics can decide what software can be used where... "Your application doesn't meet certification 'X', sorry, we're going to use your competitor's product, (who, btw, funded the creation of the certification)."
I of course, can't really back that up, but that's what it seems like to me.

Stupid Politics

[neonprimetime]

"I am discouraged with what appears to be another change after certification has been awarded," said executive director John Weathersby. "It is disheartening after three-and-a-half years of work to have the certification pulled twice for reasons not clear to us."
... NIST is not saying why the certificate was removed.

Stupid politics.

Re:Stupid Politics

[AndroSyn]

What the fuck does Theo have to do with it? A lot of people seem to be under the false impression that OpenSSL has something to do with the OpenBSD project. It doesn't...

Re:Stupid Politics

[andrewman327]

Punishing a company and not explaining why? That is just bad business. I imagine it could have to do with national security concerns, but if that were the case, why would they have awarded cert in the first place? Something really does not add up here.

Re:Stupid Politics

[markjo]

I'm guessing that the company will get an explination as to why it's cert gets pulled, but that doesn't mean that the rest of the world needs to know.

Re:Stupid Politics

[hey!]

Well, certification should not be viewed as reward, and removing certification should not be a punishment.

It should have nothing to do with the recipient of the certification; it should be based on whether the product meets certain well established and reasonable criteria, given the best information at the time.

Furthermore, it makes sense not to tell the world exactly what the vulnerability you found which caused the product to be decertified, until your agencies can stop using it, which is not overnight.

However.

What doesn't make sense is concealing this from the organization that obtained the certification to begin with, and presumably could save the Federal government much cost and inconvenience by addressing the problem. IN fact, it's terrible.

How can we know this wasn't done as favor to a political contributor?

We can't.

Even before 9/11, the stance of this administration has been that explaining its reasons for doing things -- only in certain situations mind you -- unduly hampered it's ability to get frank and unvarnished advice from industry. Leaving aside that no presidency in living memory ever felt this to be a problem, we have to decide. We either can know that our officials aren't taking payoffs, OR we deprive those officials of advice whose nature is such that if we knew what it was there would be a public scandal.

If that last sentence seems hard to parse, it's because it doesn't make any sense. The underlying premise is absurd: that public officials need to be able to do shameful things.

Re:Stupid Politics

[andrewman327]

Government has always been able to lie about its reasons for doing things to avoid scandel. If they were simply aiding a benefactor, they would say something vague like "substanciated security concerns" and leave it at that. In my experience in DC, lots of money only gets you part of the way there. Especially when it comes to national security, you need to be able to prove that your product works.

Re:Stupid Politics

[hey!]

Government has always been able to lie about its reasons for doing things to avoid scandel. If they were simply aiding a benefactor, they would say something vague like "substanciated security concerns" and leave it at that.

Yes, of course it always could lie. But you risk getting caught. The actual process of "substantiating security concerns" would leave a paper trail.

Especially when it comes to national security, you need to be able to prove that your product works.

Logically, if by "works" you mean "co

Re:Stupid Politics

[LurkerXXX]

While I agree with all the rest of your post, I disagree with this bit:

What doesn't make sense is concealing this from the organization that obtained the certification to begin with, and presumably could save the Federal government much cost and inconvenience by addressing the problem. IN fact, it's terrible.

It makes sense to conceal it from the organization... temporarily. Until you get your machines switched over to some other secure system if you found a major security hole in theirs.

Although the

Re:Stupid Politics

[hey!]

It makes sense to conceal it from the organization... temporarily. Until you get your machines switched over to some other secure system if you found a major security hole in theirs.

I think you make a good point here. However, it's not clear that there is a plan for switching the machines over. The process is opaque, in a way that I think does not really do much for security.

Although the protocol was certified, that doesn't mean that every person in the organization which made it has passed a 'top-secret'

Re:Stupid Politics

[macdaddy]

This train of thought doesn't get you out of the gates though. If Uncle Sam had to secretly spend millions of $$ to make changes due to a security problem or other major issue then none of the tech they used would have ever gotten off the ground. For example, McDonald Douglas's and Boeing's planes have been fraught with problems, many of which were serious security problems (Google for more info). Not all of these problems were found in the testing phases either. Uncle Sam still brought in the developer

Re:Stupid Politics

[Schraegstrichpunkt]

RTFA. Their policy is not to tell the public the details of the problem because the information might be "proprietary" (Hah!). Somebody associated with OpenSSL will be told.

Biased Reporting

[RingDev]

There was a concern that was raised back in June. Since then, the code has been updated and procedure has been modified. If the reason for the initial "pull" was not clear, how did the know what requirements to change the functionality for?

I haven't followed along with this project, but it doesn't sound that bad. There was a technical issue, they lost their cert. They fixed the technical issue and resubmitted. Screwiness ensues as their cert disappears, then reappears as suspended (which it already had been

Re:Stupid Politics

[doti]

Stupid politics.

More like "stupid microsoft money".

Related Links

[john_sheu]

"receiving it" in the Related Links sidebar? That's just asking for it...

Weasel words

[sharkey]

On July 14 the CMVP Web site listed the OpenSSL certificate 642 as revoked. On Monday it was listed as not available. A statement from CMVP supervisor Randy Easter indicated there is no distinction between the two terms.

Then what honest reason is there for HAVING different terms?

Re:Weasel words

[Southpaw018]

It's the government. There is, unfortunately, no reason needed. Bureaucracy is part of the equation.

Re:Weasel words

[redbaritone]

There is a distinction, they're just not going to tell what it is. ;-) The government behaving irtrationally is an indication that everything is normal. Go about your business. Nothing to see here.

Reasons Not Given?

[mr_rattles]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary? When I read a statement like this it suggests to me that there's doesn't have to be a method behind how they determine what's rejected and what's not, the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

Re:Reasons Not Given?

[GreyPoopon]

the person(s) deciding could have simply had a proprietary "I'm in a bad mood today and want to take it out on someone" reason.

Or maybe the person had a proprietary receipt of goods or money from other entities that might or might not have competing products....

Re:Reasons Not Given?

[Anonymous Coward]

They were refering to publicly providing the info. They do provide it to the vendor/developer of the product.
They would not tell the person researching/writing the article why it was revoked.

Re:Reasons Not Given?

[smooth wombat]

Normal operating procedure. Years ago, when I applied for a position with an unnamed 3-letter agency, I gave them several, double-sided, sheets of information going back ten years. Went through the whole process of urine testing, blood analysis, polygraph (twice), and psychological evaluation (bubble test and actual person). After all was said and done I received notice that I would not proceed to the next stage.

I wrote a letter requesting the specific reason for this and was told that that information was proprietary and might disclose operational procedures.

So let's review. I give them almost 20 pages of documentation, agree that they can ask questions about me from family members, relatives,neighbors, etc., agree to let them do a credit check on me and contact other law enforcement agencies to see if I have a record, answer an entire booklet of psychological questions, undergo two polygraph tests, a blood test and urinalysis and they won't tell me how they came to their decistion because in doing so it might reveal how they gather the information.

Um, yeah.

Re:Reasons Not Given?

[Anonymous Coward]

Dear Smooth Wombat,
You had heroin in your system and traces of anally absorbed KY Jelly.

Regards,
Three Letter Agency

Re:Reasons Not Given?

[ChrisDolan]

TLA Psych Report for: [Smooth Wombat]
Recommendation: REJECT
Reason:
  Psych models predict subject shows high likelihood
  of revealing operational procedures to Slashdot

Re:Reasons Not Given?

[Ginger Unicorn]

i think it's probably that they dont want to give away their analytical procedures, rather than their information gathering procedure, which as you point out you already knew, having gone through it.

think about it, if they told you why they rejected you, you could tell someone else what to do in order to pass that part of the test, thus jeopardising the validity of future tests.

Re:Reasons Not Given?

[pla]

thus jeopardising the validity of future tests.

Yeah, because polygraphs have such a great reputation for validity, right?

You can learn to make them show whatever answer you want, and they can return false positives on people not lying. When you can't trust the answer in either direction, it doesn't say much for the test.

The courts don't accept polygraphs as evidence for a reason. It doesn't exactly give me the warm-n'-fuzzies that the so-called "intelligence" community doesn't have the same level o

Re:Reasons Not Given?

[Zeinfeld]

Hell, why not just use an e-meter? They'd get just as meaningful of a result, and could at least give applicants the cop-out that their Thetan level disqualified them.

Because the Scientologists would charge more than the poligraphers?

My understanding of the FIPS140 program is that they are required to give reasons for rejection. It is ten years since I did one but that was the case then.

There is a difference though between providing an instant reply in email and spending a couple of months crafting a

Re:Reasons Not Given?

[Ginger Unicorn]

i wasnt really thinking of the polygraph test, more like them giving away the correct answers to some questions by telling you which ones you got wrong.

perhaps the testers just took the polygraph readings with a grain of salt; perhaps they used them purely to measure stress rather than to detect lies; perhaps they used the polygraph readings in conjunction with other lie detection measures such as body language and voice stress. the thing is they arent going to tell you what happened one way or the other,

Re:Reasons Not Given?

[Valdrax]

Maybe the tests revealed a tendency to question authority?

Re:Reasons Not Given?

[ediron2]

I've worked with the 3LA crowd a fair amount, and I have yet to meet one that wasn't a bit mental. Half of them have a creepy elevated-charisma thing going. The other half? Well, to be blunt, they almost *always* leave me the impression of that wierd guy arguing with his elbow and asking you to pick sides while you're waiting in queue.

And then there's the oppenheimer moments: Doin' cool stuff that is given a usage scenario that seems noble/harmless enough, but losing sleep as you consider all the ways yo

Re:Reasons Not Given?

[smooth wombat]

I'm not taking it personally but I found it amazing that someone like me would not be considered for the position. This was a very low-level position I was applying for.

Since I was absolutely truthful when asked every question my only thoughts would be either:

1) because I was truthful they didn't want someone like me

2) the polygraph had no idea how to handle complete honesty.

Either way, with the way things have gone since then, I'm glad I didn't get the position.

Reasons were given, but not to the public.

[mephistus]

No, the CMVP does not provide the information regarding the status or reason on the website that lists all the approved modules. It does however inform the certification lab that performs the testing on the module of the problem, and then the lab informs the OpenSSL folks. Then the vendor and lab work together to fix whatever it is that brought up the problem.
I don't know what the specific problem is with their module validation, but it's probably more of a paperwork issue than a technical problem. There

Re:Reasons Not Given?

[99BottlesOfBeerInMyF]

This is one of the most ridiculous statements I've ever read. How is the problem supposed to be fixed if the vendor is never told what the problem is, and so what if it's proprietary?

I believe the answer is, you hire a consulting group who just happens to be buddies with the department in question. After paying them a pile of money, they get whatever agency to "certify" your software in some ridiculous and meaningless way. It is just the normal price of doing business in the sector.

One piece of software

I got this in the fips-nis-update mailing list

[Argon]

3:00 pm -- Tuesday, July 18, 2006

http://oss-institute.org/index.php?option=content& task=view&id=166&Itemid= [oss-institute.org]

OpenSSL Module Certification Number 642: back on again...

To: OSSI
From: DOMUS IT Labs
RE: Status of OpenSSL Module (Certification #642)

I received a call this afternoon (Tuesday, July 18, 2006) from the NIST side from the CMVP. They have indicated that certificate #642 had incorrectly been marked as "revoked" during the web site update on Friday 14-Jul-2006. The CMVP has returned the certificate to its "not available" status and posted the following explanation regarding the terminology:

If a validation certificate is marked not available, the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

If a validation certificate is marked as revoked, the module validation is no longer valid and may not be referenced to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Refer to http://csrc.nist.gov/cryptval/140-1/1401val.htm [nist.gov]

Updated and resubmission continues on previous schedule.

----
it's never boring, that I can promise you.
stay tuned.
jmw

--
John M. Weathersby, Jr.
Executive Director
Open Source Software Institute
www.oss-institute.org
tel: 601.427.0152

Ad maiorem dei gloriam (AMDG)
Audentes fortuna juvat

Re:I got this in the fips-nis-update mailing list

[Intron]

It's interesting that OpenSSL is the only listed module that has either "Revoked" or "Not Available" status. If it were due to a change in procedures or testing, one would expect it to affect multiple modules.

Re:I got this in the fips-nis-update mailing list

[Mr. Hankey]

More interesting is the fact that several commercial products from companies such as Oracle and Cisco rely on OpenSSL. I'm curious to see just how long this will last. My guess is not as long as some people think.

Saving$ are for Sucker$

[digitaldc]

An official with the Defense Department's Defense Medical Logistics Standard Support program told GCN when certification was granted that OpenSSL could save the program hundreds of thousands of dollars.

Just speculating here, but maybe it is due to 'competition' by a high-priced commercial alternative that was pushed through by lobbyists?
Why save US taxpayers hundreds of thousands of dollars when you can benefit yourself and rack up huge profits for your corporate friends?


Further reading: http://www.boston.com/news/local/maine/articles/20 06/07/19/audit_finds_ipods_dog_booties_on_homeland _security_credit_cards/ [boston.com]
"Audit finds iPods, dog booties on Homeland Security credit cards By Lara Jakes Jordan, Associated Press Writer | July 19, 2006
WASHINGTON --Wielding government-issued credit cards, Homeland Security employees racked up hundreds of thousands of dollars in unjustified expenses last year, including booties for rescue dogs, iPods, designer rain jackets and beer-making equipment, a congressional audit shows."

Re:Saving$ are for Sucker$

[chrpai]

I spent 6 years on the DMLSS project... I know Steve Marquess very well. There is no way that what you suggest is even remotely possible.

Re:Info

[chrpai]

I wouldn't say that `bad` things never happen on the DMLSS program.

I would say that for better or for worse, Steve is as heavily vested in Linux/Unix and FOSS as any of your most vocal supporters here on Slashdot. The notion of him bowing down to some pressure to replace OpenSSL with some other vendors implementation is just beyond conceivable.

Re:In current news...

[neonprimetime]

If a validation certificate is marked "not available," the module is no longer available for procurement, but may still be retained and used to demonstrate compliance to FIPS 140-1 or FIPS 140-2.

Weathersby said the problems have been corrected and the workaround submitted to the certifying laboratory, Domus IT Security Laboratory of Ottawa, for re-evaluation.
Weathersby said the results of the re-evaluation would be submitted to CMVP for a final review and reinstatement of the certificate.

Seems like we're in for a wait.

FOIA? National Security??

[2phar]

"The CMVP does not provide information regarding the status or reason as in many cases it may be proprietary"

Could someone explain how a flaw discovered in public source code is "proprietary"?!

Are they saying they can't tell anyone what's wrong with it because it would reveal some sort of flaw in SSL to 'terrorists'? Will this stand up to the Freedom of Information Act?

And then.. if the developers via divine intervention determine what the problem is, does this mean they can't put comments in the open source describing it?!

Rediculous.

Re:FOIA? National Security??

[Anonymous Coward]

They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

Re:FOIA? National Security??

[Shanep]

They have a policy not to publicly disclose this info. This policy was set up for propriatary/closed source vendors. They just continued to follow that policy when dealing with an open source vendor. OpenSSL/OpenBSD will most likely tell the public this info at some point, but it still may be something they want to fix before publishing -- a practice which is common in both open and closed source products/projects.

Why would the OpenBSD project make public announcements on behalf of the seperate OpenSSL pro

Re:FOIA? National Security??

[GigsVT]

Well they all work for this "Open" company.

It's just like that "Ars" company that ran that Digita site and that Technica site.

Re:FOIA? National Security??

[fferreres]

They are just stating they have a secret criteria for choosing and don't want anyone to know the criteria. Exactly what we are complaining about is THE FEATURE, no the error of the policy.

That's because

[caluml]

That's because they've found the back door I embedded in it while no-one was looking last Christmas. Wait, someone's at the door.

Politics != Security

[ttfkam]

Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.

"Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and cents. This is not about technology."

This doesn't bother me so much on its face; OpenSSL can only get better after this intense review. What bothers me is that the "opposing forces" are not likely receiving the same level of scrutiny and yet presumably are fully certified for sensitive information by the US government.

But of course they can't release the code for everyone else to review. People might steal their ideas, right? So how do we know they are secure rather than "mostly secure"? Or even worse, that they are "sort of secure, but the right people were taken out to dinner."

Re:Politics != Security

[Padrino121]

You are correct in your assertion that the "opposing forces" are not receiving the same level of review. I cannot go into great detail but I can say based on public information that one of those opposing forces is RSA, it is definitely in their interest to not see a free software model reach a level 1 certification because they turn some serious revenue over with their product. Instead of producing a product that provides a value add that makes the purchase worth the money they, as well as a few other vendo

Re: Thank you proprietary competitors!

[nadamsieee]

Keep those bug reports rolling in! Eventually you'll run out of steam, and OpenSSL will run out of bugs. Hmmm, do I want a SSL product that has been reviewed by company X, or a SSL product that has been reviewed by companies X, Y, Z, A, B... ;)

If you work within the DoD

[guisar]

Those of you within the DoD should voice your support for the OSSI's effort to T02 or the CTO at DISA. It's important for NIST to understand this delay on their part can have a significant (negative) operational impact and if there's not an actual technical issue, this has to be resolved post haste.

this is good.

[brenddie]

This will only mean that whatever was "wrong" will get fixed for the benefit of us all. Something propietary formats cant benefit from.

Weathersby said OpenSSL has been challenged by companies with competing proprietary encryption technologies, and that those challenges are aided by the open-source model, which makes source code for the tools publicly available.
"Now the opposing forces have the luxury of going in and trying to pick us apart," he said. "That's fine. That's fair. This is about dollars and

Re:this is good.

[Peter Simpson]

Absolutely! Though somewhat discouraging in the short term, the product will be better in the long term, for the many eyes (some unfriendly, no doubt) searching for flaws. This is how you get good, robust software. A lot like peer-reviewed research.

So, don't get discouraged; changes will be made, recertification will happen, and OpenSSL will emerge better for the experience!

Re:this is good.

[mclaincausey]

Not necessarily true. It doesn't have to be something wrong, it can be something that is in violation of a standard that itself is not perfect, or it could be a problem with the documentation OSSI has provided. Remediation might involve "fixing" something that wasn't really broken to start with, or with modifying documents to suit algorithms or vice-versa.

Re:this is good.

[AndroSyn]

Damnit..you people...The OpenSSL project has *nothing* to do with OpenBSD other than starting with the word Open.

Strange

[PrayingWolf]

FTA:
"The certificate apparently was suspended in June when questions were raised about the validated module's interaction with outside software elements."
"NIST is not saying why the certificate was removed."

Sounds like an inside job to me

ahem

[tomstdenis]

CERTIFICATION is a SCAM!

It means nothing other than your implementation of an algo is correct. It doesn't mean you used it right.

Tom

Re:ahem

[tomstdenis]

In my case, my code is used everywhere AND I make no money off it. :-)

Tom

Re:ahem!

[tomstdenis]

I am, by suggesting that the "testing centres" are scamsters who want you to keep thinking that with a FIPS seal your product is actually secure.

FIPS certification is largely meaningless outside of RNG and EM testing.

Tom

Re:ahem

[tomstdenis]

I'm not tooting my own horn. I'm saying certification is meaningless and that people will use ANYTHING so long as it meets their needs and budget. My code happens to be free and apparently they don't care that I haven't forked over the required 10 grand or so PER RELEASE to get it verified [per platform too btw].

Tom

Certifiably Broken

[Doc Ruby]

NIST certification fluctuating [gcn.com] unintelligibly is a security nightmare. NIST's certification process needs to be reliable, or the uncertainty will create not only risk of using broken or incompatible security, but also spikes in attacks as crackers get the news that some product might be broken. The products might not be broken, just NIST's decertification process, but who needs the extra waves of attacks?

I'm not surprised that this procurement certification is broken. Bush's top procurement official got bus [google.com]

FYI: Openssl FIPS Details

[mpapet]

Keep in mind a FIPs certified build of openssl requires specific but not complex build parameters.

Also keep in mind the Openssl project can't modify the fips-certified code parts. It would have to go back for certification and I doubt Novell/HP and ? want to pay for that again and again.

It would be interesting to hear if distros (or any users) are building and using it in applications in the FIPS mode.

Obligatory link: http://oss-institute.org/fips-faq.html [oss-institute.org]

Re:FYI: Openssl FIPS Details

[Frogular]

From http://oss-institute.org/fips-faq.html [oss-institute.org]

3) What exactly is being validated? The OpenSSL Crypto modules? The whole distribution? FIPS 140-2 is concerned with cryptographic module implementations, not applications or products per se. The FIPS 140-2 "cryptographic module" defined for OpenSSL contains the FIPS 140 specific cryptographic API and algorithm implementations only; i.e. the API for low level algorithms (RSA, AES, 3DES, DSA, SHA-1). This cryptographic module is a minimal subset of the full Ope

Mozilla NSS is open-source and FIPS140-1 validated

[madbrain]

It is unfortunate that OpenSSL had its certificate revoked. Condolences to the developers, and good luck going through the revalidation process with NIST.

I would like to point out however that Mozilla's NSS (Network Security Services) library is also open-source, performs much of the same functions as OpenSSL, and has been previously FIPS140-1 validated several times - the first validation was over 5 years ago. A FIPS140-2 validation is ongoing. See http://www.mozilla.org/projects/security/pki/nss/f ips/ [mozilla.org] fo

Big deal....

[nighty5]

Its only helpful to businesses that make money off the hard non-paid work of contributors of OpenSSL, for which they don't receive funds.

Let the companies buy an SSL approved mechanism, they have the cash. We sell an appliance that has SSL built in, the cost of the appliance can be up to 250k and above.