Thursday, May 18, 2017

ICMC17: Inside the OpenSSL 1.1 FIPS Module Project

Tim Hudson, CTO Cryptsoft and Mark Minnoch from SafeLogic.

In July 2016, OpenSSL announced the commencement of a fresh attempt to do a FIPS validation of OpenSSL. There are over 244 validated products on the NIST list that obviously use OpenSSL in their validation boundaries and it's included in most (all?) operating systems - it's pervasive!  So, why is it so hard to validate?  It starts out as open source with lots of competitors/stakeholders interested in it.

Unfortunately, stakeholder goals and project goals do not always align. For example, the project wants to support many platforms - stakeholders want to focus on only one or two. The same goes for the number of algorithms supported and validated.

Previously, FIPS140 work was effectively entirely funded for the OpenSSL project from 2009-2014, as there was no long term or major sponsor at this time.  The sponsors funding OpenSSL FIPS all had different goals (other than wanting to sell into the US government), which made it very difficult to manage. This is a hard project, with many people yelling at you with different goals and wasn't very rewarding - can't just expect people to do this for "fun". [note: yes, nothing about FIPS is "fun" - practical, yes, but not fun]

The first validation was very painful for the developers, so OpenSSL knows they have to do it differently if they are ever going to do it again.  OpenSSL started their first FIPS 140-2 validation in June 2002, certificates were not received until March 2006!

There have been a total of 9 unique validations, to keep up with new hardware platforms and implementation guidance changes.

The OpenSSL FIPS 1.0 module based off of the OpenSSL-0.9.x is no longer usable, there is still a bit of life left in OpenSSL FIPS 2.0 module (#1747, #2389, #2437) as it is based off of the OpenSSL-1.0.x code. But, a major update is required for a new OpenSSL FIPS module to work with OpenSSL-1.1.x.   For this go round, goal is to make the FIPS140 related changes "less intrusive".

Current validations cover dozens (hundreds?) of platforms (OS vs hardware).

For the new validation, the only current sponsor is SafeLogic, but additional sponsors are needed to fund OpenSSL FIPS development and FIPS lab testing - resources are available now to begin work. 

This is a high risk validation, many people will be watching the validation which means people are cautious to enter - which creates a longer timeline. Keep in mind that TLS 1.3 is only available in OpenSSL 1.1.x, so if that's important to your customers, consider helping out financially to get this project going.

It's hard to get the sponsors on board, as they all want to see another sponsor already on board and to share the cost, but they still want to wield great influence over the work.

If this project doesn't happen, there are fewer options for FIPS libraries and will require you to do more of your own FIPS work.  Taking multiple versions from different companies through CAVP/CMVP is a waste of their resources as well.  Also, if everyone develops independently, the federal government will end up with inconsistent implementations.

Originally team was going to work on FIPS 140-2 work before TLSv1.3, but swapped the priorities. That was easier to get a sponsor for, as it's well defined project and now the FIPS work can happen with the TLSv1.3 in place.

OpenSSL has refactored algorithm testing approach and want to better support embedded systems, and do better with entropy generation.  Need to pick up extra NIST work and try to take SHA3 through CAVP/CMVP.

Will continue to look at improvements to POST (like defining what it means for software). Also considering add ChaCha/Poly1305.

Currently cannot commit to many requested features, just due to trying to keep a reasonable timeline.  The current schedule estimate from "start" to certificate is 18months, based on their experience taking other modules through.

Please consider sponsoring this project so it can get off of the ground!