Oracle, OpenSSL and SafeLogic partner to update FIPS module
Oracle, OpenSSL and SafeLogic have announced a seed investment in developing the next generation open source OpenSSL 1.1 FIPS (Federal Information Processing Standard) 140-2 module, and called for others to join the effort.
The FIPS 140-2 is a joint US and Canadian government security standard for testing cryptographic modules, the objective of which is to ensure the use of strong and validated cryptographic protection in US and Canadian government systems.
However, it’s also widely respected and informally accepted by other countries and non-government industries as a strong and trustworthy standard for cryptographic modules used within commercial products.
OpenSSL, in turn, is the most widely used and respected cryptographic library protecting data transfers across computer networks.
In 2014, OpenSSL gained widespread attention with the discovery of the Heartbleed bug, a security flaw that could allow a remote attacker to retrieve private memory of an application that uses the OpenSSL library in chunks of 64k at a time.
While the vulnerability was subsequently fixed, the event served as a wake-up call about the need for participation, support, and funding for OpenSSL and other heavily used open source software.
According to the companies, the current FIPS module for OpenSSL has not had a significant upgrade since 2012, while encryption standards have evolved significantly.
“Ensuring that OpenSSL maintains an up to date FIPS implementation is critical to helping maintain the security posture of sensitive data on government systems and the continuous safety of millions of transactions performed daily. We as a community have a responsibility to maintain the confidence of users in these systems,” said Jim Wright, Chief Architect, Open Source Policy, Strategy, Compliance and Alliances at Oracle.
“Given the complexity of the task at hand, we encourage other software vendors to join us in and donate to this project to deliver a free, open-source FIPS module that will benefit everyone.”
Helping drive the updated OpenSSL FIPS project forward, Oracle has made a $50,000 seed investment to start the project, with another $50,000 to follow based on the progress of the effort.
“Oracle has made a significant pledge, underscoring their crucial role in the future of open source FIPS 140-2 capabilities,” said SafeLogic CEO Ray Potter.
“Other sponsors with a vested interest should get in touch with SafeLogic to arrange their own donations, as we are administering contributions to directly fund both the hard and soft costs of the OpenSSL 1.1 FIPS Module project.”
SafeLogic, a company that provides strong encryption products for solutions in mobile, server, cloud, appliance, wearable, and IoT environments certainly has an interest in upgrading the module.