April 9, 2014

OpenSSL Heartbleed Bug and FIPS


(Image from heartbleed.com)
The Q&A section at Heartbleed.com states that "OpenSSL Federal Information Processing Standard (FIPS) mode has no effect on the vulnerable heartbeat functionality."

Although the OpenSSL FIPS module does not mitigate the heartbeat vulnerability, it is also important to note that the vulnerability exists outside of the OpenSSL FIPS cryptographic module boundary.

The vulnerability affects TLS implementations in certain OpenSSL libraries.

"The OpenSSL FIPS module is completely unaffected by the heartbeat vulnerability (CVE-2014-0160)," confirms Steve Marquess, Founding Partner at OpenSSL Software Foundation, Inc. 

The OpenSSL FIPS Object Module achieved FIPS 140-2 Certificate #1747 in 2012 (the certificate is maintained frequently by OpenSSL Software Foundation, Inc.)

Mark Minnoch is an Account Manager at InfoGard Laboratories.  The InfoGard FIPS Team performed the OpenSSL FIPS Object Module FIPS 140-2 validation for OpenSSL Software Foundation.

4 comments:

  1. Where did you find this quote by Steve Marquess? On heartbleed.com (maintained by Codenomicon, one of the original discoverers of this bug) they claim that FIPS compliant OpenSSL is indeed vulnerable. Trying to sort out the truth here...

    http://heartbleed.com/

    ReplyDelete
  2. I exchanged e-mails with Steve Marquess. The fix for the heartbleed vulnerability is outside of the OpenSSL FIPS cryptographic boundary (the TLS implementation in OpenSSL is outside the FIPS boundary but the crypto used by TLS is inside the FIPS boundary), An OpenSSL TLS implementation using the OpenSSL FIPS module may be vulnerable.

    ReplyDelete
  3. Sorry, I can't make head or tails of this comment. Seems self-contradictory. Can you re-write for clarity?

    ReplyDelete
  4. Noah, thanks for your question. I'll try to explain better.

    The OpenSSL FIPS module is a subset of the OpenSSL toolkit. The heartbleed vulnerability was found in the OpenSSL toolkit but not in the OpenSSL FIPS module portion of the toolkit. (To oversimplify, New York City is in the US, but it's not in California.)

    I hope that helps.

    ReplyDelete