×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NIST Validation Of OpenSSL Algorithms

timothy posted more than 9 years ago | from the thanks-for-the-security dept.

19

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

19 comments

Poster left out explination of what FIPS is (5, Informative)

the morgawr (670303) | more than 9 years ago | (#9128726)

A quick googling shows that FIPS 140-2 validation refers to the government certification that encryption modules have adequate security to be used by the the Federal (e.g. US) government. If OpenSSL gets fully validated this will be a huge win for open source software.

Re:Poster left out explination of what FIPS is (4, Informative)

dark_panda (177006) | more than 9 years ago | (#9129848)

Another open source crypto package (actually, it's public domain code) that has received FIPS 140-2 certification is crypto++ [cryptopp.com], a set of C++ crypto classes and such.

It should be noted that if (or rather, when) OpenSSL is FIPS 140-2 certified, it doesn't mean that you can use OpenSSL and claim that your code is FIPS 140-2 certified. Technically, you can't even recompile OpenSSL yourself and claim certification on the resulting binaries, you need to go through the certification process again.

Even still, this is definitely nice to see. Congrats to the OpenSSL team.

J

Re:Poster left out explination of what FIPS is (3, Informative)

Steven Reddie (237450) | more than 9 years ago | (#9134963)

Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.

Re:Poster left out explination of what FIPS is (1)

Krunch (704330) | more than 9 years ago | (#9154571)

I don't know, what if the compiler is not certified ?

Other hash validations (0)

Anonymous Coward | more than 9 years ago | (#9128771)

Is MD5 validated? I've heard SHA1 is more secure.

Looking for MD5 crack (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9128862)

I wanna find out if my boyfriend is cheating on me. Please send me AES crack. I will pay or provide some useful sefvice to the guy. A friend pointed me to this site and said hackers hang out here. Anyone has AES crack?

Johanna

Re:Looking for MD5 crack (-1, Troll)

Anonymous Coward | more than 9 years ago | (#9128882)

How 'bout I introduce my cock to j00r crack?!

Ummm... (0)

Anonymous Coward | more than 9 years ago | (#9129522)

What about Blowfish?

has it been validated yet?

Re:Ummm... (0)

Anonymous Coward | more than 9 years ago | (#9129819)

I hope not. Wouldn't want that fucker Theo to get any credit.

Re:Ummm... (0)

Anonymous Coward | more than 9 years ago | (#9134984)

Do the articles above mention anything about Blowfish? No? Well then I guess that means it hasn't been certified!

Why is it that if someone says somethng like "Half Life 2 has been ported to the X-Box" there are people who instantly ask stupid questions like "Has Pengo been ported to the X-Box" or "Has Half Life 2 been ported to my cell phone"?

Breaking News: (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#9130210)

This article has been invalidated
due to lack of interest

Hmm (0, Troll)

Anonymous Coward | more than 9 years ago | (#9134858)

If a federal agency validates encryption algorithms, does this mean they have a convenient backdoor?

Re:Hmm (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#9137469)

No fucktard, it doesn't. The algorithms are still bound by the rules of math, and the computers they're using are bound by the rules of physics. Furthermore, this is about specific implementations of algorithms. It's specific to the OpenSSL implementation of AES, etc.

If you don't believe in the math, you could try VME [meganet.com]. It hasn't been validated for anything.

Re:Hmm (2, Interesting)

alex_tibbles (754541) | more than 9 years ago | (#9139747)

Strictly speaking the validation is only of the _implemenation_ of these algorithms. The NSA did invent SHA, but all these algorithms have stood up to academic attack (that we know of).

Re:Hmm (2, Interesting)

Spiked_Three (626260) | more than 9 years ago | (#9145204)

Encryption is math - all math is solvable - some math solutions take resources most people don't have, this does not technically constitute a back door, but you can bet your sweet bippy if the (US) government allows you to transmit it, they have a way to decrypt it.
Want to try an experiment - come up with really decent random number generator (not based on FIPS or built in functions) and send a fake encrypted message twice a day to someone in a foreign country. See how long before you are visited :)

Re:Hmm (1)

Theatetus (521747) | more than 9 years ago | (#9148255)

Encryption is math - all math is solvable

Yeah? Find a length of which a square's side and its diagonal are both multiples.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...