Oracle announced on Aug. 3 that it is joining SafeLogic in an effort to develop a much needed FIPS 140-2 module for the open-source OpenSSL cryptographic library.
OpenSSL is widely used to help secure internet communication and infrastructure, though it currently is lacking a critical module for government standards, known as FIPS 140-2. The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government cyber-security standard used to certify cryptographic modules.
FIPS validation is important as it enables technologies to be used within government agencies and industries that require validation. To help advance the required development work for a FIPS 140-2 module for OpenSSL, Oracle is contributing $50,000 to that effort, providing an additional $50,000 after progress is made.
“The OpenSSL team chose to use Oracle’s initial funding to cover staff work on the project, which is unsurprising—there is plenty of work to be done,” Jim Wright, chief architect of Open Source Policy, Strategy, Compliance and Alliances at Oracle, told eWEEK.
SafeLogic started building the FIPS module for OpenSSL in July 2016. However, in addition to dealing with the complexity of the required work, the OpenSSL team has been pulled toward other projects over the last year, significantly delaying the FIPS effort, according to Ray Potter, CEO of SafeLogic.
“While the initial strategy and design work is underway, this funding from Oracle will be channeled to OpenSSL developers to jump-start the engineering effort,” Potter told eWEEK.
SafeLogic is providing the staffing and expertise for the validation work that is required for the FIPS module. Wright said Oracle was aware of the SafeLogic effort, which in his view already had some established parameters around how to get the required work done. Oracle’s interest in helping to develop a FIPS module for OpenSSL is driven in part by the growing use of OpenSSL across the company’s products.
“Oracle’s use of OpenSSL is widespread, and our investment in it will only increase over time,” Wright said.
There already is a FIPS module for OpenSSL, though it has not been updated since 2012 and isn’t based on the recent OpenSSL 1.1.x releases. For Oracle to maximize its return on its investment in OpenSSL, there is a need for a FIPS module that meets the requirements of government applications, Wright said.
“We are going to need a FIPS module that will work with OpenSSL 1.1, which means a new module,” he said.
While the OpenSSL project is regularly updated, there is a functional difference between what is available today and what is required for the new FIPS module. The FIPS project is dedicated to providing an encryption module, built to FIPS 140-2 specifications, as an alternative library for use within the new OpenSSL 1.1 framework, Potter said.
“OpenSSL 1.1 has taken significant steps forward in technical capabilities, but does not retain backward compatibility with the existing OpenSSL FIPS Object Module,” Potter said. “By building a new FIPS module and completing validation with the CMVP [Cryptographic Module Validation Program], the open-source community will be able to leverage OpenSSL 1.1’s technical advances without sacrificing FIPS compliance.”
Looking forward, Potter said OpenSSL, SafeLogic and Acumen Security (the testing lab) are working toward a consensus on some strategic items for the FIPS validation, which will be completed within the next few months. The next major milestone includes the completion of FIPS-specific coding requirements, including FIPS power-up self-tests, conditional self-tests and an algorithm testing harness, which are prerequisites for validation testing, he added.
OpenSSL as a project came under scrutiny following the Heartbleed security vulnerability incident in April 2014. In the aftermath of that incident, it was determined that more resources were required to help OpenSSL succeed. In May 2014, the Linux Foundation launched the Core Infrastructure Initiative (CII) to help fund critical open-source efforts such as OpenSSL. While CII has provided some funding to OpenSSL, currently it is not part of the FIPS module effort.
“The Linux Foundation and CII have not become involved, but it would be fantastic to bring them in,” Potter said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.