Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Joins SafeLogic to Develop FIPS Module for OpenSSL Security

    By
    SEAN MICHAEL KERNER
    -
    August 4, 2017
    Share
    Facebook
    Twitter
    Linkedin
      OpenSSL 1088

      Oracle announced on Aug. 3 that it is joining SafeLogic in an effort to develop a much needed FIPS 140-2 module for the open-source OpenSSL cryptographic library.

      OpenSSL is widely used to help secure internet communication and infrastructure, though it currently is lacking a critical module for government standards, known as FIPS 140-2. The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government cyber-security standard used to certify cryptographic modules.

      FIPS validation is important as it enables technologies to be used within government agencies and industries that require validation. To help advance the required development work for a FIPS 140-2 module for OpenSSL, Oracle is contributing $50,000 to that effort, providing an additional $50,000 after progress is made.

      “The OpenSSL team chose to use Oracle’s initial funding to cover staff work on the project, which is unsurprising—there is plenty of work to be done,” Jim Wright, chief architect of Open Source Policy, Strategy, Compliance and Alliances at Oracle, told eWEEK.

      SafeLogic started building the FIPS module for OpenSSL in July 2016. However, in addition to dealing with the complexity of the required work, the OpenSSL team has been pulled toward other projects over the last year, significantly delaying the FIPS effort, according to Ray Potter, CEO of SafeLogic. 

      “While the initial strategy and design work is underway, this funding from Oracle will be channeled to OpenSSL developers to jump-start the engineering effort,” Potter told eWEEK.

      SafeLogic is providing the staffing and expertise for the validation work that is required for the FIPS module. Wright said Oracle was aware of the SafeLogic effort, which in his view already had some established parameters around how to get the required work done. Oracle’s interest in helping to develop a FIPS module for OpenSSL is driven in part by the growing use of OpenSSL across the company’s products.

      “Oracle’s use of OpenSSL is widespread, and our investment in it will only increase over time,” Wright said. 

      There already is a FIPS module for OpenSSL, though it has not been updated since 2012 and isn’t based on the recent OpenSSL 1.1.x releases. For Oracle to maximize its return on its investment in OpenSSL, there is a need for a FIPS module that meets the requirements of government applications, Wright said. 

      “We are going to need a FIPS module that will work with OpenSSL 1.1, which means a new module,” he said.

      While the OpenSSL project is regularly updated, there is a functional difference between what is available today and what is required for the new FIPS module. The FIPS project is dedicated to providing an encryption module, built to FIPS 140-2 specifications, as an alternative library for use within the new OpenSSL 1.1 framework, Potter said. 

      “OpenSSL 1.1 has taken significant steps forward in technical capabilities, but does not retain backward compatibility with the existing OpenSSL FIPS Object Module,” Potter said. “By building a new FIPS module and completing validation with the CMVP [Cryptographic Module Validation Program], the open-source community will be able to leverage OpenSSL 1.1’s technical advances without sacrificing FIPS compliance.”

      Looking forward, Potter said OpenSSL, SafeLogic and Acumen Security (the testing lab) are working toward a consensus on some strategic items for the FIPS validation, which will be completed within the next few months. The next major milestone includes the completion of FIPS-specific coding requirements, including FIPS power-up self-tests, conditional self-tests and an algorithm testing harness, which are prerequisites for validation testing, he added.

      OpenSSL as a project came under scrutiny following the Heartbleed security vulnerability incident in April 2014. In the aftermath of that incident, it was determined that more resources were required to help OpenSSL succeed. In May 2014, the Linux Foundation launched the Core Infrastructure Initiative (CII) to help fund critical open-source efforts such as OpenSSL. While CII has provided some funding to OpenSSL, currently it is not part of the FIPS module effort.

      “The Linux Foundation and CII have not become involved, but it would be fantastic to bring them in,” Potter said.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×