SafeLogic News Archives | SafeLogic

All posts in SafeLogic News

29 Aug 2017

Introducing CryptoComply for Libgcrypt

The last entry to our SafeLogic blog announced CryptoComply for NSS. A little more than a week later and that is already old news.

I have the honor of sharing two items:
First, SafeLogic scored a Gold medal win at the Golden Bridge Awards. Awesome job, team!
And second, the FIPS 140-2 validation is complete for CryptoComply for Libgcrypt and RapidCert is available immediately!

As Ray said last week, we have been hard at work expanding our product line to provide more compatibility options for our customers, based on the most common architectures that we encounter. Please check out the new product page and don’t hesitate to reach out if you have questions. We’ll be ready when you are.

 

CryptoComply for Libgcrypt blog footer

21 Aug 2017

Introducing CryptoComply for NSS

Last week, if you regularly read NIST’s list of Validated FIPS 140-2 Cryptographic Modules, you would have noticed a new addition. (If you don’t regularly read the list, I highly recommend it as a panacea for insomnia, but that’s a different story.)

I’m proud to announce that SafeLogic has completed the validation process for our CryptoComply for NSS module, the latest addition to our stable of encryption engines and now eligible for RapidCert.

This is a valuable piece to the puzzle as the SafeLogic team pursues universal compatibility options for our customers’ needs, and there is much more to come. Stay tuned as we unveil more cryptographic modules as they become available for licensing and RapidCert. If you have specific questions or requests, please contact us!

CryptoComply for NSS blog footer

30 Mar 2017

SafeLogic Wins Encryption Trophy at 2017 Govies

SafeLogic won at The Govies 2017!Security Today magazine announced the 2017 winners in “The Govies,” the Government Security Awards competition, honoring outstanding government security products. SafeLogic was selected as the winner in the ‘Encryption’ category for our CryptoComply product, adding another trophy to our case!

“It always feels good to win an award,” said SafeLogic CEO Ray Potter. “Being selected as the winner for encryption in a government-specific competition is even better. It really validates (pun absolutely intended) our strategy for FIPS 140-2!”

1105 Media launched its government security awards program in 2009, although they weren’t known as The Govies until two years later. Starting this year and going forward, 1105 Media’s newly relaunched Security Today magazine (formerly Security Products) will administer the awards program. Winners were selected using criteria including Features, Innovation, User Friendliness, Interoperability, Quality, Design, Market Opportunity, and Impact in the Security Industry, Technical Advances, and Scalability.

“The Govies is an amazing product recognition program whereby companies in the security industry can highlight their technology and solutions that work flawlessly within the government vertical,” said Ralph C. Jensen, editor in chief of Security Today magazine and securitytoday.com. “We received 28% more entries this year, which also corresponds with the need to provide better security options not only at the federal level but also at the state and municipal level of government. I believe these products and solutions only prove that the government relies heavily on the technology advances in the private sector.”

Other selections include SafeLogic customers BlackBerry, chosen for BlackBerry UEM in the ‘Convergence and Integrated Software and Solutions’ category and BlackBerry AtHoc in the ‘Emergency Communication Systems’ category, and Securonix, chosen for SNYPR Security Analytics for Hadoop in the ‘Big Data Analytics’ category.

BlogFooterWalt3

 

22 Dec 2016

FIPS Module 3.0 for OpenSSL 1.1 Update

(L to R) Tony Busciglio (Acumen), Ashit Vora (Acumen), Mark Minnoch (SafeLogic), Steve Marquess (OpenSSL) Not pictured: Ryan Thomas (Acumen)

(L to R) Tony Busciglio (Acumen), Ashit Vora (Acumen), Mark Minnoch (SafeLogic), Steve Marquess (OpenSSL) Not pictured: Ryan Thomas (Acumen)

In December, Acumen Security hosted our kick-off meeting for the FIPS Module 3.0 validation effort. I was SafeLogic’s delegate, Steve Marquess represented OpenSSL, and Ashit Vora, Tony Busciglio, and Ryan Thomas attended for Acumen. With the expected adoption of TLS 1.3 and upcoming algorithm transition deadlines (outlined in NIST SP 800-131A), the OpenSSL-SafeLogic-Acumen Security partnership strives to deliver a FIPS module that works with OpenSSL 1.1 during the 2017 calendar year.

For this project to be successful, we will need additional Project Sponsors. Technology vendors that plan to deliver products using OpenSSL 1.1 in the future should consider sponsorship to support the effort. Financial contributions from Project Sponsors will help fund the engineers developing the code (OpenSSL) and the FIPS Laboratory (Acumen Security) for their validation testing services.

Here is the tentative schedule for the FIPS Module 3.0:

January 2017: Receive initial contributions from Project Sponsors
February 2017: Technical parameters locked in for development
March 2017: OpenSSL team begins development to meet FIPS requirements
May 2017: Development checkpoint
July 2017: SafeLogic reviews FIPS Module, finalizes FIPS 140-2 documentation
August 2017: Acumen submits FIPS 140-2 report to CMVP
October 2017: CMVP provides report comments to Acumen (2 month queue time expected)
November 2017: CMVP issues FIPS 140-2 certificate for FIPS Module 3.0 (for OpenSSL 1.1)

Important Notes:

1. Additional Project Sponsors are needed to make their initial contributions in January to begin the process on time.
2. All development and testing work is scheduled based upon sponsorship contributions being delivered as planned. Additional sponsors will mitigate risk of delays.
3. FIPS Module 3.0 Technical Objectives and Sponsorship information are available here: https://wiki.openssl.org/index.php/FIPS_module_3.0
4. Early releases of the FIPS code will be available from Github for public review and testing.
5. For a quick history of how the OpenSSL/SafeLogic/Acumen team came together, please see our July announcement.

How Can My Company Become a Sponsor?

Thank you for your interest! We welcome additional sponsors to support this crucial development for the community. Please contact me directly to discuss and stay tuned for additional updates here at the SafeLogic blog.

13 Dec 2016

RapidCert for CryptoComply | Java 3.0 Is Available!

CryptoComply | Java 3.0 is here!You may have noticed – SafeLogic has a new FIPS 140-2 certificate posted by NIST. Published on December 8th, it’s our CryptoComply | Java module, version 3.0! Fully compatible with Bouncy Castle’s recent FIPS API revisions and with a nice helping of SafeLogic’s secret sauce (yes, it’s orange), customers with Java deployments now have a natural upgrade path available with CryptoComply | Java 3.0.

Technical improvements over CryptoComply | Java 2.2 include a variety of bugfixes, a significant simplification of deployment, a single JAR that includes both approved FIPS mode and non-approved mode, and the promise of greater forward compatibility. Many of you are already aware of the technical benefits of Bouncy Castle’s latest release, and now SafeLogic’s CryptoComply offering includes RapidCert, which delivers your own FIPS certificate quickly. With a validation in your name and support from our technical staff, CryptoComply is a clear upgrade. See our Top 10 Reasons to Choose SafeLogic Over Open Source Encryption for more!

RapidCert is available NOW for CryptoComply | Java 3.0
License the software today and have a certificate in your name in 8 weeks.
It really is that easy.

Contact us immediately for a quote.

 

BlogFooterWalt3

24 Aug 2016

How does the SWEET32 Issue (CVE-2016-2183) affect SafeLogic’s FIPS Modules?

Executive Summary:

SWEET32 issueA newly demonstrated attack, SWEET32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN, shows that a network attacker monitoring an HTTPS session secured by Triple-DES can recover sensitive information. The attack was performed in a lab setting in less than two days by capturing 785 GB of traffic over a single HTTPS connection.

Sounds scary at first.

The good news: No action is required by SafeLogic customers for the SWEET32 issue.

 

My FIPS 140-2 Module is not Broken?

Correct. Triple-DES [1] is a FIPS Approved algorithm and Triple-DES is expected to remain a FIPS Approved algorithm for the foreseeable future. Triple-DES uses 64-bit block sizes which makes it vulnerable to this attack. Cryptographers have long been aware of this type of vulnerability in ciphers designed with small block sizes.

The AES symmetric cipher (also a FIPS Approved algorithm) is not vulnerable to this attack.

[1] Two-key Triple-DES may only be used for decryption purposes in the FIPS mode of operation. Three-key Triple-DES may be used for encryption and decryption purposes in the FIPS mode of operation.

What Might NIST Do?

Since a considerable amount of ciphertext needs to be captured to make this attack possible, this is a low security concern for nearly every use of TLS. We anticipate that CMVP (NIST/CSE) may publish future guidance limiting the amount of plaintext that is encrypted using a single Triple-DES key, but we do not expect the CMVP to remove Triple-DES from the list of FIPS Approved algorithms due to this reported attack.

 

Should I Turn Off Triple-DES to be Safe?

That depends on your company’s security policy for addressing vulnerabilities. The SWEET32 issue does not make Triple-DES itself any less secure than it was yesterday and the method of attack is not new. You may need to continue supporting Triple-DES in order to allow TLS connections that are not able to negotiate use of the AES cipher. (Note that good security practices always negotiate AES at a higher priority than Triple-DES). In short, there is no need to turn off the use of Triple-DES in your application.

 

What If I Still Have Questions?

Please contact me. I am happy to be a resource to you.

BlogFooter_Mark

25 Jul 2016

#Winning

2016 - Golden Bridge Award - SilverThis morning, I had a nice surprise waiting in my inbox. SafeLogic won a Golden Bridge Award!

Awards have never been a priority for us, in large part due to our positioning… and the fact that we are focused on revenue and customers, not our own ego. We are the vendor to the vendors, a key component but rarely the feature. Award nominations always ask about end users, such as in the Fortune 500. “Symantec uses SafeLogic encryption. BlackBerry uses SafeLogic encryption,” I usually respond. “We have a great roster of customers, but it’s ultimately their end users, not ours.” Then we inevitably get sorted to the back of the list. I never worried about it because yes, I know, tech vendor awards are often only as valuable as the paper that they’re printed on, and we knew that we didn’t need to conform to a traditional category to be successful.

This time was different. The Golden Bridge Award team got us! They understood the importance of our role, the innovation behind our products, and recognized that while Joe Schmo wouldn’t go download a copy of our software directly, it’s pretty damn likely that Joe is already using it, and that merits recognition.

So with great pride, the SafeLogic team announces that we have won Silver in the category of Security Software Startups!
It feels good to be an award-winning company.

Click to Tweet: #Crypto startup @SafeLogic pulls down a trophy at #GoldenWorldAwards! http://bit.ly/SLaward725

Kudos also to our customer Securonix on winning a variety of awards, including a Grand Trophy, and Tanuj Gulati, their Co-founder & CTO, for winning a Gold for Executive of the Year in Security Services and a Silver for Most Innovative Executive of the Year. Well done!

Now with all this talk of Golds and Silvers, I’m ready for the Olympics to open in Rio. U-S-A! U-S-A!

BlogFooterWalt3

19 Jul 2016

OpenSSL 1.1’s Big, Bright, FIPS Validated Future

SafeLogic is the Orange Knight!The OpenSSL project posted to their official blog today with some major news – OpenSSL 1.1 will be getting a FIPS 140-2 validated module! It’s a huge deal and the SafeLogic team is proud to be leading the effort.

In September, OpenSSL’s Steve Marquess explained in a blog post (FIPS 140-2: It’s Not Dead, It’s Resting) why the ubiquitous open source encryption provider would be hard-pressed to bring FIPS mode to the 1.1 release. With changes over the last few years at the CMVP, the viability of legacy OpenSSL FIPS module validations have been repeatedly threatened and the crypto community simply cannot accept the possibility of being without a certificate. An open source module with a communal certificate available is a crucial component that allows many start-up companies to test the waters in federal agencies and regulated industries before investing in a validation for themselves. Likewise, many major corporations have relied upon OpenSSL FIPS modules over the years as a building block for extensive engineering efforts. Without this commitment, many would have been caught in the dilemma whether to use the FIPS 140 validated open source module compatible with a rapidly aging, often-maligned older version of OpenSSL, or the new, sleek, secure OpenSSL 1.1, but without a FIPS validated module at its heart.

The choice will now be an obvious one, and the community can safely remove their heads from the sand and begin planning their future roadmap around a fully validated FIPS module for OpenSSL 1.1 and beyond.

As the OpenSSL team announced today, SafeLogic will sponsor the engineering work on the FIPS module and we will be handling the validation effort ourselves. (What, you expected us to hire an outside consultant? Surely you jest.) Acumen will be the testing laboratory, as they have been for many of our RapidCerts, and together we have high hopes for a smooth and relatively painless process.

Click to Tweet: Have you heard? @SafeLogic is leading #FIPS140 effort for new #OpenSSL #crypto module! https://www.SafeLogic.com/openssl-1-1-future/

One key element in the OpenSSL blog post that will surprise some folks:

“This is also an all-or-nothing proposition; no one – including SafeLogic – gets to use the new FIPS module until and if a new open source based validation is available for everyone.”

Why would we agree to that? For that matter, why would we take on this project at all, while other “leaders” in the community relished the idea of a world without validated open source options?

At SafeLogic, we are true believers in the importance of open source, in encryption and elsewhere. Past versions of OpenSSL have provided a basis for SafeLogic’s CryptoComply modules, so you may ask why we’re doing this – why we’re not just building it ourselves and letting the open source community fend for themselves.

Well, we thought about doing just that, but we decided against it for both altruistic and strategic reasons. We believe that SafeLogic has the chance to help not only the OpenSSL team, but the tech community at large. We realize that product vendors, government entities, education institutions, and other organizations need validated open source modules, and not all of them can or will implement SafeLogic solutions.

As a team, we believe that a rising tide lifts all boats, and we are putting that philosophy into action. The availability of an OpenSSL 1.1 FIPS module will provide greater security in regulated verticals and more opportunities for everyone working in this community. SafeLogic will be at the epicenter of the effort, of course, and I would be remiss if I didn’t mention that our success in this endeavor will push SafeLogic even further forward as the true leader in providing validated crypto!

Our central role in the effort will ensure that nobody has more expertise or knowledge in the design, operation and validation of OpenSSL 1.1 modules than SafeLogic, and future versions of CryptoComply will be the best yet. Trust me, our customers will reap the benefits. We are happy to put in the sweat equity on the open source communal validation, knowing that when product teams need a FIPS 140-2 certificate in their own name, custom work, integration assistance, comprehensive support or anything else related to OpenSSL 1.1 and FIPS 140-2, SafeLogic will be the obvious choice.

We’re very excited to work with Steve, the OpenSSL team, and Acumen, as we join forces to lead the OpenSSL 1.1 FIPS module through FIPS 140-2 validation. Stay tuned for updates!

For more information about the project, how to contribute, the future roadmap, or media inquiries, please contact us at OpenSSL@SafeLogic.com.

BlogFooterRay2

30 Dec 2015

Bring on 2016!

Jan1
Ahh, the year-end crunch time is here. Closing and reconciling the books. Working with our customers to get in (or delay, when strategic, of course) last minute invoices and accruals. Making sure contracts are executed before the calendar flips over. Catching up. Projecting out. Forward planning. Requisite CEO year-end blog posts like this one. Check it off the list, Marketing Team!

To say that our 2015 was dynamic at SafeLogic is an understatement. As I’m recapping and reviewing our goals for 2015, I see areas where we “crushed it” (in the Silicon Valley lexicon), areas for improvement (yes, it’s a nice way to say that we dropped the ball on a few initiatives and no, I’m not too proud to admit it), and areas for new growth and development. I’m glad this year is behind us, because I’m just so damn ready for 2016.

SafeLogic’s 2016 campaign will be about growth, balance, and clarity. Almost like the plans of current Presidential candidates but without the lunacy and grandstanding, and a lot less speJanuarynd on TV commercials (sorry, Marketing Team). So how will these elements unfold?

Well, we added some very high profile customers to our wall this year, and we’ll grow our share in the market. We’ll increase our team and improve our infrastructure to support those new clients. We will balance delivery, professional development, budgets, customer requirements, and every other moving part that defines a software company. We’ll move quickly but carefully. We’ll work on the right things for our customers and for the industry, while having clear communication internally and externally.  We’ll have a lot of fun while delivering on very serious business-driven goals.

It’s going to be an exciting time. We’re launching some of our Skunk Works projects this year, and we’ve got new projects bidding to be added to the docket. It isn’t always easy to bring innovative and progressive new ideas to a field that is historically stagnant, challenging, and sometimes non-sensical (I’m talking to you, encryption, and you, regulatory compliance). But it’s what we do. And while I think we always have room for improvement, I think we do it pretty damn well, so expect more of the same next year, in higher dosages and more frequently.

I’m thrilled about the new year. We have the right priorities, the right team, the right solutions, and the right processes in place at SafeLogic. Now will someone please turn the calendar over to January? We’re ready to rock!

BlogFooterRay2

23 Sep 2015

Changing Seasons

Credit: Jean-Pol GRANDMONT

Credit: Jean-Pol GRANDMONT

Happy Autumnal Equinox, everyone!  Yes, it’s the first day of fall for the northern hemisphere (and by proxy, the first day of spring for everyone down under) and I’m back blogging.  Football is back and playoff baseball is nearly here. (Go Dodgers!) Leaves are turning, pumpkins are growing, and there’s a lot to catch up on.

It’s been a long, hot, El Niño summer here in San Diego, where I’m based. While I spent some time at the beach like every San Diegan, the big chunk of time was devoted to working with the awesome SafeLogic team, reviewing and polishing key details of great things to come.  While I cannot yet reveal what’s in store, I will say this – we’ve worked hard to align each piece of the puzzle to best benefit our existing and future customers alike.  Our goal is to display our unwavering commitment to disruption on behalf of our clients.  The current model of FIPS 140-2 certification is broken and we are doing our best to insulate our customers and keep blazing new trails.

So why do you care?

Well, if you want to have a validation completed by the end of the calendar year, you should definitely reach out asap.  Along with official announcements in this space, we will be rolling out some new blog posts pertaining to specific verticals and solutions, as well as recaps and commentary related to this season’s industry events.  It’s going to be a busy Q4, let’s just say that. Stay tuned!

BlogFooterWalt2