Partners Archives | SafeLogic

All posts in Partners

22 Dec 2016

FIPS Module 3.0 for OpenSSL 1.1 Update

(L to R) Tony Busciglio (Acumen), Ashit Vora (Acumen), Mark Minnoch (SafeLogic), Steve Marquess (OpenSSL) Not pictured: Ryan Thomas (Acumen)

(L to R) Tony Busciglio (Acumen), Ashit Vora (Acumen), Mark Minnoch (SafeLogic), Steve Marquess (OpenSSL) Not pictured: Ryan Thomas (Acumen)

In December, Acumen Security hosted our kick-off meeting for the FIPS Module 3.0 validation effort. I was SafeLogic’s delegate, Steve Marquess represented OpenSSL, and Ashit Vora, Tony Busciglio, and Ryan Thomas attended for Acumen. With the expected adoption of TLS 1.3 and upcoming algorithm transition deadlines (outlined in NIST SP 800-131A), the OpenSSL-SafeLogic-Acumen Security partnership strives to deliver a FIPS module that works with OpenSSL 1.1 during the 2017 calendar year.

For this project to be successful, we will need additional Project Sponsors. Technology vendors that plan to deliver products using OpenSSL 1.1 in the future should consider sponsorship to support the effort. Financial contributions from Project Sponsors will help fund the engineers developing the code (OpenSSL) and the FIPS Laboratory (Acumen Security) for their validation testing services.

Here is the tentative schedule for the FIPS Module 3.0:

January 2017: Receive initial contributions from Project Sponsors
February 2017: Technical parameters locked in for development
March 2017: OpenSSL team begins development to meet FIPS requirements
May 2017: Development checkpoint
July 2017: SafeLogic reviews FIPS Module, finalizes FIPS 140-2 documentation
August 2017: Acumen submits FIPS 140-2 report to CMVP
October 2017: CMVP provides report comments to Acumen (2 month queue time expected)
November 2017: CMVP issues FIPS 140-2 certificate for FIPS Module 3.0 (for OpenSSL 1.1)

Important Notes:

1. Additional Project Sponsors are needed to make their initial contributions in January to begin the process on time.
2. All development and testing work is scheduled based upon sponsorship contributions being delivered as planned. Additional sponsors will mitigate risk of delays.
3. FIPS Module 3.0 Technical Objectives and Sponsorship information are available here: https://wiki.openssl.org/index.php/FIPS_module_3.0
4. Early releases of the FIPS code will be available from Github for public review and testing.
5. For a quick history of how the OpenSSL/SafeLogic/Acumen team came together, please see our July announcement.

How Can My Company Become a Sponsor?

Thank you for your interest! We welcome additional sponsors to support this crucial development for the community. Please contact me directly to discuss and stay tuned for additional updates here at the SafeLogic blog.

6 Oct 2014

It’s Q4 Already?

It’s hard to believe we are in Q4 already. If you’re in the Bay Area, it still feels like summer!  But here we are, rapidly approaching Halloween and the holidays, watching football and playoff baseball.

I don’t really do quarterly company updates on the blog; in fact, I think Walt would argue I don’t write enough blog posts in general. But I’m just too excited. SafeLogic has had a great year and I’m really proud of the work that the team is done. A more detailed recap will happen towards the end of the year – Walt will be sure of that!

I’m on the way to Orlando now to talk at Gartner Symposium about security and compliance with Paul DePond of Globo, one of our customers in mobility. If you follow us on Twitter (and why wouldn’t you?), you’ll notice that I’ve been on the road speaking quite a bit recently. The content has been a blend of education and evangelism. I’m trying to get developers in emerging areas of technology to think about building security in to their solutions. I know it’s no easy task but I want to be sure folks are thinking about emerging threats. It’s easier with SafeLogic, but that’s another story. I want folks to understand the need for and value of strong encryption built with compliance in mind.

We have talked to customers and potential clients in some very cool new spaces, and it’s encouraging to see a more mature comprehension of the advantages offered by validated crypto.  Questions from analysts and press are becoming more sophisticated, and end users are really adapting to the landscape.  It’s gratifying to see folks genuinely care about how their data is being protected.

It’s been a very fun and very busy year… and we have some cool surprises in store, in both the short and long term. I can’t wait to share more.

BlogFooter_Ray

12 Jun 2014

SafeLogic Doesn’t Sell to the NSA

It’s not that we don’t appreciate the work of the National Security Agency here at SafeLogic.  Really, it’s quite impressive.  We certainly are thankful for the work of Homeland Security and the DoD.  And we absolutely, unequivocally, 100% support the men and women who have served in our national military.  We are red-blooded American patriots, who believe in life, liberty, and the pursuit of happiness.  And that is precisely why we do not work with the NSA.NSALogo

Several significant events have come to light that call their ethics into question, and I’m not even talking about Snowden, Wiebe or any of the other whistleblowers.

Many are still reeling from the revelations surrounding the ten million dollar bribe that the RSA Security Corporation took from the NSA, in exchange for making Dual EC DRBG the default algorithm in RSA BSAFE, the most popular proprietary encryption module in the business.  This transaction, if known publicly at the time, would have raised eyebrows and questions would have been asked.  Instead, it remained in the shadows for years before Dual EC DRBG was exposed as a backdoor for the NSA to decrypt information at will and the connection was made.  It was a betrayal from both RSA and NSA, and disappointing to say the least.

More recent is the allegation that the NSA had knowledge of the Heartbleed bug, and leveraged the vulnerability since its creation, for approximately two years prior to the public identification of the flaw.

Ignore the political debate about whether or not the NSA has a right to, or ought to, spy on Americans in order to insure our safety.  They found the bug and didn’t tell anyone!  Even within their own denial was an implicit admission.  “Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong.”

Ok… so they admit to hacking Heartbleed in January?  Best case scenario, the NSA took advantage of Heartbleed for only about 90 days.  Should we feel any less betrayed?

heartbleedlogoLook, I understand that it’s not in the NSA’s job description to fix problems created by private industry.  Heartbleed was certainly a black eye for the team of volunteers that rolled out the 2012 update to OpenSSL protocols.  No argument there.  But the NSA motto itself reads Defending Our Nation.  Securing The Future.  Doesn’t that include sounding the alarms when an estimated two-thirds of the world’s internet activity is at risk?  Doesn’t defending our nation include defending our intellectual property?  The assumption is that Securing the Future refers to the future of the American way of life, which is tightly aligned with our capitalist free market economy.  But that apparently was vulnerable for two years!  So no… I don’t think the NSA lived up to its mantra.

SafeLogic’s allegiance is to our customers, and our customers’ loyalty is to their own customers.  At the end of the day, our success is measured on whether we did everything possible to insure the security of the end users’ information.  Since our inception in 2012, the answer has been a resounding “Yes!” every single day.  Any partnership, association, or agreement with the NSA would undermine that singular goal.

That’s why we don’t sell our encryption to the National Security Agency.

BlogFooterWalt

6 May 2014

Securing the Internet of Things

Today’s blog entry is from our partners at Weaved.Weaved_LogoResize

Weaved is a cloud services company that provides nearly 4 million IoT device connections per month over the Internet.  We published a joint press release in April, announcing the partnership between SafeLogic and Weaved, and describing how we are working together to make the IoT secure.

 

The Internet of Things holds tremendous promise for driving the next wave of economic growth for Internet connected devices and applications.  Our smart phones have become the remote control for our lives and give us access to the Internet and our networked devices 24/7.   It’s easy to see that soon nearly every industrial and consumer electronics product will require some kind of app control as a standard feature.  Unfortunately, the Internet remains a publicly-accessible and unsecure environment for devices and every network is only as secure as its weakest link.

Right now, IoT devices are notorious for being that weakest link.  They have earned this reputation by ignoring security best practices and focusing only on local connectivity.  As a result, malicious tools have been developed, like search engines on the public internet that scan and search for open ports on devices.  So for mass market consumer adoption of IoT, device makers must really step up their efforts to apply some well established security best-practices and win back public trust.

At Safelogic and Weaved, we believe that a common sense approach to security in IoT must include:

1.  No Port Forwarding and No Open Ports on Devices

Port forwarding allows remote computers on the Internet to connect to a specific device within a private local-area network (LAN).  It’s an open door to your LAN from the outside and there is a surprisingly large installed base of devices that use this technique.  Weaved has developed a proprietary method of addressing and securely accessing any TCP service (Port) over the Internet without the use of port forwarding.  With Weaved’s technology, ports can even be shut down and appear as invisible to malicious “port-sniffers” and search engines.

2.  Trusted and Validated Encryption End-to-End

A lot of IoT devices today are storing or sending data across the Internet with weak encryption or even in the clear.  Even trusted companies like Skype have been criticized for allowing unencrypted media in their data path.  Weaved’s cloud services are already using unique, encrypted session keys per connection.   Going forward, Weaved and SafeLogic will collaborate to bring SafeLogic’s trusted and verified encryption engines to the platform for applications that demand that level of security.

These are just a couple of measures needed to protect your local network from being compromised.  There’s much more to cover on this topic, so expect to hear more from Weaved and SafeLogic in the near future, as we define and deploy our joint roadmap and services.

BlogFooterWalt