Category Archives: Software

Updating Server with new HDs

So after yesterday’s discussion I am trying to do a little bit of research on where to find affordable but realiable server harddrives. Does anybody have a suggestion? I am probably looking at a pair of 250s or so – size is not as much of an issue as reliablility. And then there is the whole issue of how to make the swap. Can it be as easy as installing the drives, setting up the mirror raid, and copying all the files? Continue reading Updating Server with new HDs

OpenSSL Received FIPS 140-2 Validation

OpenSSL, the open-source cryptography libraries used in many other applications, including Apache HTTP, has been certified under FIPS 140-2. If that seems like a fairly random string of information, you’re probably not alone. Here’s why it’s important.

FIPS (Federal Information Processing Standard) 140 provides standards for encryption used in government. That means that, generally speaking, that government organizations require products to be FIPS 140 certified if they use encryption. There are exceptions and waivers, etc, but it’s *much* easier for the organization making the purchase to go with the FIPS product. NIST does the certifying for FIPS, and they certify an implementation of certified algorithms. Got that? They certify first the algorithms themselves (AES, 3DES, etc), then they certify the specific cryptography module’s implementation of said algorithms. NIST has *never* certified source-code. They have only certified compiled modules. The logic here is understandable; if you certify source code, there’s no guarantee that the source code hasn’t been changed prior to compilation.

The good folks at OpenSSL, or at least a few of them, took on that challenge. They built a branch of openssl that contains sufficient checks within the code itself to ensure that the compiled and running code is, in fact, the FIPS certified code. So, NIST has now broken off of their tradition of not certifying source code, and certified OpenSSL.

That means that OpenSSL can now be used in governement applications, which has the potential to save you and I (taxpayers) some money. No longer will agencies using Apache, for example, have to buy a certified cryptography module from IBM or RSA. New applications that are built on open-source can implement OpenSSL and sell to government. All around, it’s good for security.