Unlock the Power of OpenSSL Providers

Jul 18, 2024 Digital & Product Solutions / Cyber Security
Let’s dive into the world of cybersecurity, where OpenSSL is the most used tool for keeping our digital communications safe. But hold onto your hats because there’s a hidden gem within OpenSSL that’s about to surprise you: OpenSSL providers.

What exactly are the OpenSSL providers?

Providers are the last layer in the OpenSSL architecture, where the cryptographic algorithms are implemented. [1]
OpenSSL provides their own cryptographic providers by default. Those are the “default” provider, the “legacy” provider, or “FIPS” provider.
The last one is ready to meet all FIPS 140-3 requirements, service offered by DEKRA, so if you need a robust and easy-to-implement cryptographic capabilities that needs to be certified with CMVP, Cryptographic Module Validation Program, that’s the solution you are looking for.
The following image represents the architecture of OpenSSL. This image is from the official OpenSSL website and as shown on it, there are several providers options to be used. Even third-party providers. [2]

What do they bring to the table?

What does make OpenSSL providers so special?
Many vendors have created their own algorithms cryptographic implementation for specific purposes. For example, a simple software library that implements the AES XTS algorithm just for encrypting and decrypting data that will be stored in a hard drive.
Obviously, this library will provide their own “APIs”, and if a third program wants to use such implementation, it needs to be modified to use the “entry points” of this library. [3]
To be realistic, no developer will modify their source code just to be adapted to the requirements of this “revolutionary” AES XTS implementation.
However, it might surprise you, but actually, it is possible to use this implementation with OpenSSL without modifying the OpenSSL source code.
The idea is simple, as shown in the below image. It is possible to create a middleware between any cryptographic implementation, both in software or hardware, and OpenSSL just using the provider’s implementation.
Due to the flexibility and customization, the use of providers can optimize the performance of the cryptographic exercised by OpenSSL since it is possible to integrate specialized cryptographic libraries or hardware devices, tailoring cryptographic operations to meet specific security requirements.
In conclusion, in the constantly evolving landscape of cybersecurity, OpenSSL providers emerge as indispensable allies in the quest for robust cryptographic security, because it is possible to improve the cryptographic requirements without modifying the entire application architecture. In other words, the providers make the applications of cryptography more scalable. Their role in improving performance and promoting flexibility cannot be underestimated.
If you have a cryptographic implementation and want to integrate it into the OpenSSL operations, contact DEKRA experts and we will guide you in the development and certification process for FIPS 140-3 and ISO 19790. We are completely conscious of the relevance of validating a product or the implementation of demanding technical requirements with stringent time limitations. For these reasons, we are committed to providing an excellent testing process and supporting our clients with fully optimized validation procedures so the impact on our customers’ resources is entirely minimized.
References:
[1] OpenSSL - provider (OpenSSL). n.d., https://www.openssl.org/docs/man3.0/man7/provider.html. Accessed July 18, 2024.
[2] OpenSSL - OpenSSL 3.0.0 Design (OpenSSL). n.d., https://www.openssl.org/docs/OpenSSL300Design.html. Accessed July 18, 2024.
[3] Wikipedia - Entry point (Wikipedia). n.d., https://en.wikipedia.org/wiki/Entry_point. Accessed July 18, 2024.