28

A deceptively simple question.

How does OpenSSL compare to FIPS enabled OpenSSL? Is it any less secure? How do I tell?

If I were concerned about security, not the NIST standard, is there any real benefit in adhering to FIPS 140-2 standard (communicating with govt agenices notwithstanding)?

ILIV
  • 383
  • 1
  • 3
  • 6

1 Answers1

32

For the relationships between OpenSSL and FIPS 140-2, read this documentation.

The OpenSSL FIPS Object Module is a specific subset of OpenSSL, API-compatible with OpenSSL, and provided as source code. That module has gone through the long and painful administrative process of obtaining a FIPS 140-2 validation. It has achieved the "overall level: 1" (see the validation certificate).

The intent of FIPS 140-2 validation is to show, basically, that some level of "seriousness" was applied during the development. Validation cannot prove that there is no bug or vulnerability, but it can show that the developers applied proper methodologies which, hopefully, should avoid bugs and make the software conform to a specific set of target properties.

Now, there are some caveats:

  • In practice, the OpenSSL developers applied the same development methodologies for both the FIPS module, and "plain" OpenSSL. Both versions share a lot of code; the FIPS module is actually a subset of the normal library version. For the same functionalities, the plain OpenSSL should be no less secure than the FIPS module. (For functionalities which the plain OpenSSL offers but not the FIPS module, anything goes).

  • The FIPS module is validated only insofar as you use it absolutely unchanged. If you modify the slightest character in the source code, you are no longer covered by the FIPS validation.

The second point, in particular, implies that if a bug is found in "normal OpenSSL", and a bugfix is published, then that bugfix is not immediately imported into the FIPS module, because that would void its FIPSness. Therefore, it can be argued that the plain OpenSSL is in fact more secure than the FIPS module, since it is fixed much more quickly when holes are uncovered.

Summary: if you do not target some sort of conformance to FIPS 140-2, use the normal OpenSSL.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 1
    Thank you Tom. This is a really good answer, and I think it will be beneficial to the community. However, my own reasoning is basically the same as yours, and, perhaps, what I'm looking for is some sort of more concrete comparison. Something a little more tangible, like, for example, "FIPS 140-2 module does this and that, which plan OpenSSL doesn't do by default, but can be configured to do if you do this and that". Something along those lines, some specific evidence, facts. – ILIV Apr 25 '13 at 07:24
  • 1
    @ILIV Sounds to me like FIPS *doesn't do* certain things rather than *does do certain* things, being subset of the openssl code. In particular, we know that it doesn't receive timely bug fixes. I too am curious about what else it doesn't do though. – DylanYoung Apr 14 '20 at 19:48