SafeLogic saves the day for feds’ use of OpenSSL

A Silicon Valley-based encryption company has done the federal government a huge solid, allowing feds to keep using the most common type of open-source crypto.

“This is a very unusual sponsorship deal,” OpenSSL developer Steve Marquess told FedScoop of the arrangement with SafeLogic, “They are taking a big risk with no financial upside. They are absolutely a white knight.”

For nearly a year, the volunteers that run OpenSSL, a software library offering an open-source implementation of the two most widely-used forms of internet encryption, have been hoping for some help in getting the latest version validated for use in federal computer systems. 

OpenSSL is the key to low-cost internet encryption. It’s the default crypto for Apache — the software that runs two-thirds of the world’s webservers — and it’s used in most Linux distributions as well. 

OpenSSL is the only way most companies can afford to offer TLS or SSL internet encryption — the padlock in the browser that assures users their connection to the site is private and secure. The importance of OpenSSL was shown when the HeartBleed bug was discovered in its library in 2014 — and virtually the whole internet had to be patched.

The problem for feds is that to be used in any federal computer systems, OpenSSL has to be validated under FIPS 140-2, the special standards set by the National Institute for Standards and Technology.

“FIPS has very particular requirements, that transcend any normal set of best practices,” said Marquess.

Without a FIPS-validated module, federal agencies and contractors wouldn’t be allowed to use OpenSSL on federal computer systems.

For nearly a decade, there’s been a validated OpenSSL module that can be used on federal systems. And it’s been updated four times — changes required by new versions of OpenSSL or by updated FIPS requirements.

“As OpenSSL has progressed and developed, we’ve needed to make changes,” said Marquess, “And the requirements for FIPS are also frequently updated — the goalposts are constantly moving.”   

The latest version of OpenSSL, 1.1, needs an entirely new module — and getting open source modules validated is an expensive and risky process that generally requires major corporate or government sponsorship. 

“I don’t have high hopes that we’ll see that white knight sponsor anytime soon,” Marquess wrote in a blog post last year, adding, “So for now we watch and wait and hope … After tilting at the FIPS 140-2 windmill for over a decade I know endless patience is a must.”

“Each of the five validations we got [over the past few years] was sponsored by a different [federal] agency,” Marquess told FedScoop Thursday. “Last time it was DARPA … They called me out of the blue” and eventually offered to help get validation for an updated module.

He said that sponsors for earlier efforts had generally chosen not to be identified.

“This time,” he said, for the update needed for OpenSSL 1.1, “no such sponsor came forward.”

Instead, this week Marquess announced that encryption specialists SafeLogic would sponsor the FIPS 140-2 validation of a new OpenSSL module for version 1.1 — and crucially, would not ask for any exclusive rights to the module in return.

“We had companies offering us a lot of money,” he said, “but they all wanted exclusive use of the end product. Under the terms of this sponsorship, SafeLogic get nothing that everyone else doesn’t get. We keep full control and ownership of the FIPS module software and the validation … No one gets special treatment.”

“We give this away,” he said of the module, “it’s free for use.”

According to Marquess, all the other possible sponsors had wanted either to validate a proprietary module first, or to keep exclusive rights to the open-source module for a time after it was validated. 

“SafeLogic is making a major contribution,” he said, adding that the validation would take “easily a year and possibly a couple of years … It’ll be nine months before they even look at the application,” he said.

“If the OpenSSL 1.1 FIPS module project didn’t happen, all but the biggest tech companies would have been pushed aside,” from the federal marketplace, SafeLogic CEO Ray Potter told FedScoop. 

“The need for extensive custom code and the expense of an individual validation effort would have made it functionally prohibitive for startups and niche solutions to meet the FIPS 140-2 requirement,” Potter added. “As a result, the diversity of products available to federal agencies would have dried up, quickly ending the technological renaissance that the government is just beginning to enjoy.”