Agencies that must buy software to meet these standards are finding that an open-source, modular approach can provide new choices on the marketplace.
Instead of buying software that would be useless in a short time, the agency took a novel approach. It would instead invest in OpenSSL, an open-source, FIPS-140-2-certified encryption module. That way, DMLSS could simply insert OpenSSL into whatever software product best met its needs, freeing it to chose from a wider range of vendors that didn’t have FIPS certifications.
“This validation will save us hundreds of thousands of dollars,” said Debora Bonner, operations director for DMLS.
The key to this approach was to validate the source code rather than the executable program itself. That way, when DMLS changed to a new platform, the code could be easily plugged into the new software. FIPS only certifies the cryptographic module of a program, not the entire program.
The approach proved unique, according to Luc Cousineau, director of the IBM-owned DOMUS IT Security Laboratory that tested OpenSSL. He said FIPS certification had never been done for a program’s source code before.
As a result, the European project leaders behind OpenSSL had to come up with a way to assure their code could guarantee its own validity. (They devised an ingenious method of inserting hash values into the code that the compiler could check.)
In the end, the certification, awarded earlier this year, cost about $85,000. Besides DMLS, Hewlett-Packard Co., the Open Source Software Institute of Hattiesburg, Miss., and PreVal Specialist Inc. of Severna Park, Md., supported the project. Because the source code was validated, it could be compiled for any platform, be it Linux, Microsoft Windows or some obscure operating system.
“The hope is that this FIPs mode will be incorporated into open-source projects that use cryptography,” Marquess said.
Autor/Author: Joab Jackson
Quelle/Source: Government Computer News, 15.05.2006
