NIST Validation Of OpenSSL Algorithms

An anonymous reader submits "On Monday, May 10, 2004, the National Institute of Standards and Technology (NIST) posted a notice that the AES, DES, 3DES, DSA and SHA-1 algorithms for OpenSSL have been validated. The validation notices can be found at the following NIST sites: Advanced Encryption Standard (AES) Algorithm (Certification # 146); Data Encryption Standard (DES) Validated Implementations (Cert # 258); Triple Data Encryption Algorithm (TDEA, a.k.a. "Triple DES"): (Cert # 256); Digital Signature Algorithm (DSA) Validation System: (Cert # 108); Secure Hash Algorithm (SHS) Validation System: (Cert # 235). Successful validation of these algorithms does NOT mean that OpenSSL has received FIPS 140-2 validation, yet. The overall FIPS 140-2 validation effort for OpenSSL is still in process. Additional updates will be posted on the OSSI web site, www.oss-institute.org. NIST validation of these algorithms does, however, signify a major milestone in OSSI's efforts to secure the FIPS 140-2 validation for OpenSSL. Please post any questions that you might have to questions@oss-institute.org."

Poster left out explination of what FIPS is

[the morgawr]

A quick googling shows that FIPS 140-2 validation refers to the government certification that encryption modules have adequate security to be used by the the Federal (e.g. US) government. If OpenSSL gets fully validated this will be a huge win for open source software.

Re:Poster left out explination of what FIPS is

[dark_panda]

Another open source crypto package (actually, it's public domain code) that has received FIPS 140-2 certification is crypto++ [cryptopp.com], a set of C++ crypto classes and such.

It should be noted that if (or rather, when) OpenSSL is FIPS 140-2 certified, it doesn't mean that you can use OpenSSL and claim that your code is FIPS 140-2 certified. Technically, you can't even recompile OpenSSL yourself and claim certification on the resulting binaries, you need to go through the certification process again.

Even still, this is definitely nice to see. Congrats to the OpenSSL team.

J

Re:Poster left out explination of what FIPS is

[Steven Reddie]

Information from the OpenSSL core team and the oss institute is that the source is being certified and the certification has been issued for the hashes of the relevant source files, thereby meaning that compilation of unmodified source results in a certified build.

Re:Poster left out explination of what FIPS is

[Krunch]

I don't know, what if the compiler is not certified ?

Re:Hmm

[alex_tibbles]

Strictly speaking the validation is only of the _implemenation_ of these algorithms. The NSA did invent SHA, but all these algorithms have stood up to academic attack (that we know of).

Re:Hmm

[Spiked_Three]

Encryption is math - all math is solvable - some math solutions take resources most people don't have, this does not technically constitute a back door, but you can bet your sweet bippy if the (US) government allows you to transmit it, they have a way to decrypt it.
Want to try an experiment - come up with really decent random number generator (not based on FIPS or built in functions) and send a fake encrypted message twice a day to someone in a foreign country. See how long before you are visited :)

Re:Hmm

[Theatetus]

Encryption is math - all math is solvable

Yeah? Find a length of which a square's side and its diagonal are both multiples.

Re:Hmm

[Spiked_Three]

Big hint: stop thinking in 1D. Ask rainman's brother.

I don't care how many D's

[Theatetus]

There's still no length that will divide both a square's side and its diagonal. Just as an example.

All math is solvable

[ENOENT]

*cough* Halting problem *cough*