Welcome to the Acumen Security Blog

Pros and Cons of Using an Embedded FIPS-module

As more and more procurement requirements necessitate the use of FIPS validated cryptography, a popular strategy for meeting those requirements is to leverage an already existing validated cryptographic provider (and get all of the “FIPS-goodness” that comes with using validated modules). This strategy is particularly popular with large product vendors who have multiple product lines for which the level of effort to do a full validation for each product would be prohibitive. There are many benefits to this approach,

  • Time to market of a certified solution (weeks vs months/year)
  • Cost (order of magnitude less)
  • Level of Effort (changing libraries vs multiple bugs + coordinating with labs/gov’t)
  • Maintenance (small crypto boundary means fewer re-certs)
  • Scalability (reduces overall burden on engineering teams)

And the best part about it is it is explicitly allowed by the CMVP. In fact, FIPS 140-2 Implementation Guidance G.5 discusses the specifics about porting/using an already validated module within a product. With that being said, why wouldn’t all companies go and pick up the latest version of their favorite 3rd party module and call it a day? There are some potential draw backs to using an embedded module (meaning it’s not right for everyone), for example,

  • Coverage (some functionality the product needs may simply not be available to the module that works for on the system)
  • Relevance (some modules are not updated regularly and may only support deprecated versions of algorithms)
  • Maintenance (since the code doesn’t necessarily below to the product team, bug fixes may be slow)
  • Marketing (since it’s not the vendor’s product, their name doesn’t go on the list)

As can be seen from the above, developing a FIPS validation strategy for a company’s product(s) takes more consideration than just identifying where product gaps are and coding. If you’re interested in more info about the pros and cons of using an embedded FIPS-module, check out the slides I presented at ICMC this year or drop me an email or call me. I (seriously) like to talk, so, you’ll be doing me a favor 🙂

PS: Follow us on Twitter and like us on Facebook, we’ll keep you up-to-date on the ever changing world of government certifications.

OpenSSL + FIPS… here to stay!

If you follow the developments in OpenSSL (who doesn’t?!?!) you would have seen the BIG NEWS posted by Steve Marquess regarding the next round of FIPS validation of OpenSSL’s FIPS Object module! This is indeed an exciting moment for all of us here at Acumen Security! We are honored to be part of this team for such a seminal FIPS validation.

The last OpenSSL crypto module FIPS validation had a profound impact on how ICT companies leverage and claim FIPS compliance and we expect this will have an even greater impact on our industry. We have seen firsthand how useful it is for companies to have a FIPS validated module for use with OpenSSL and the efficiencies it offers. The contribution of the FIPS validated OpenSSL crypto module cannot be exaggerated.

Dream_teamWe are thankful to SafeLogic and the OpenSSL project for placing their trust in us to be the Lab of choice. With this honor, we are keenly aware of the responsibility that has been shouldered upon us. Given what is riding on this FIPS validation, we aim to offer a certification that is solid and comprehensive and can withstand the scrutiny that comes with an open source validation. With multiple decades of experience and knowledge in leading and shepherding FIPS validations, we expect to bring this validation to its expected successful completion

As Steve mentioned, more details to follow, stay tuned! We will be updating our progress in the coming weeks and months. For more information about the project please contact us at info@acumensecurity.net